bitrat | 5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d

Analysis

max time kernel
300s
max time network
309s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
Size

4.6MB
MD5

18659566d6597e168fd75f0f64ae0acf
SHA1

fff293bd1462125fe483746807abfd78d7e7a68e
SHA256

5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d
SHA512

a51845c1b5d2971ea77adfdd49e66b6ab2a4ec3ea23fc1f4913bf26c1204c6a4c87785ae5e09730d8efcbb934c991a8be0d689308f9de058d81f04560b3b9282
SSDEEP

98304:4lxNooNy3ezMYFgCMGoVGjjCSsVzQBh9pAO5PuKBeVUFyiZuqnv:2KojxasoO6zQBGO5PNsVUF9u

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

185.31.111.198:25001

Attributes

communication_password
d7dcd79b773dc85c89b84862cdedb6cf
install_dir
temp
install_file
system.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\temp\\system.exe\uff00"	AddInProcess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\temp\\system.exe"	AddInProcess32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1140	AddInProcess32.exe
1140	AddInProcess32.exe
1140	AddInProcess32.exe
1140	AddInProcess32.exe
4344	AddInProcess32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 set thread context of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
Token: SeShutdownPrivilege	1140	AddInProcess32.exe
Token: SeShutdownPrivilege	4344	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	AddInProcess32.exe
1140	AddInProcess32.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2196	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	72
PID 3896 wrote to memory of 2196	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	72
PID 3896 wrote to memory of 4416	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	73
PID 3896 wrote to memory of 4416	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	73
PID 3896 wrote to memory of 3544	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	74
PID 3896 wrote to memory of 3544	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	74
PID 3896 wrote to memory of 2848	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	75
PID 3896 wrote to memory of 2848	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	75
PID 3896 wrote to memory of 2224	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	76
PID 3896 wrote to memory of 2224	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	76
PID 3896 wrote to memory of 1008	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	77
PID 3896 wrote to memory of 1008	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	77
PID 3896 wrote to memory of 4148	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	78
PID 3896 wrote to memory of 4148	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	78
PID 3896 wrote to memory of 2308	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	79
PID 3896 wrote to memory of 2308	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	79
PID 3896 wrote to memory of 2264	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	80
PID 3896 wrote to memory of 2264	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	80
PID 3896 wrote to memory of 3096	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	81
PID 3896 wrote to memory of 3096	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	81
PID 3896 wrote to memory of 3468	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	82
PID 3896 wrote to memory of 3468	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	82
PID 3896 wrote to memory of 3468	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	82
PID 3896 wrote to memory of 504	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	83
PID 3896 wrote to memory of 504	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	83
PID 3896 wrote to memory of 3084	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	84
PID 3896 wrote to memory of 3084	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	84
PID 3896 wrote to memory of 4300	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	85
PID 3896 wrote to memory of 4300	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	85
PID 3896 wrote to memory of 1420	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	86
PID 3896 wrote to memory of 1420	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	86
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 1140	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	87
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88
PID 3896 wrote to memory of 4344	3896	5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe	88

C:\Users\Admin\AppData\Local\Temp\5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe
"C:\Users\Admin\AppData\Local\Temp\5d5318419153167c1c9bd2df966ab89afa9e881542730536dd52602e1507419d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:3544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:4148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:3096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:3468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:3084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-45-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-55-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-113-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-110-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-107-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-47-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-103-0x0000000073EB0000-0x0000000073EEA000-memory.dmp

Filesize
232KB

Download
memory/1140-102-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-99-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-96-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-93-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-90-0x0000000073E50000-0x0000000073E8A000-memory.dmp

Filesize
232KB

Download
memory/1140-81-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-80-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-79-0x0000000073E80000-0x0000000073EBA000-memory.dmp

Filesize
232KB

Download
memory/1140-49-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-51-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-56-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-22-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-24-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-25-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-26-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-53-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1140-104-0x0000000073E80000-0x0000000073EBA000-memory.dmp

Filesize
232KB

Download
memory/1140-43-0x0000000073EB0000-0x0000000073EEA000-memory.dmp

Filesize
232KB

Download
memory/3896-17-0x00007FFD72670000-0x00007FFD7305C000-memory.dmp

Filesize
9.9MB

Download
memory/3896-75-0x0000000000E00000-0x0000000001280000-memory.dmp

Filesize
4.5MB

Download
memory/3896-34-0x00007FFD8C270000-0x00007FFD8C4B9000-memory.dmp

Filesize
2.3MB

Download
memory/3896-35-0x00007FFD8CEC0000-0x00007FFD8CF5D000-memory.dmp

Filesize
628KB

Download
memory/3896-36-0x00007FFD8B980000-0x00007FFD8BA76000-memory.dmp

Filesize
984KB

Download
memory/3896-3-0x000002795EE90000-0x000002795EED1000-memory.dmp

Filesize
260KB

Download
memory/3896-39-0x00007FFD8EB60000-0x00007FFD8EE59000-memory.dmp

Filesize
3.0MB

Download
memory/3896-40-0x00007FFD8CF60000-0x00007FFD8D001000-memory.dmp

Filesize
644KB

Download
memory/3896-41-0x00007FFD8F020000-0x00007FFD8F079000-memory.dmp

Filesize
356KB

Download
memory/3896-42-0x00007FFD8D010000-0x00007FFD8D061000-memory.dmp

Filesize
324KB

Download
memory/3896-58-0x00007FFD83BD0000-0x00007FFD83CC7000-memory.dmp

Filesize
988KB

Download
memory/3896-9-0x00007FFD8C870000-0x00007FFD8C91E000-memory.dmp

Filesize
696KB

Download
memory/3896-7-0x00007FFD86590000-0x00007FFD8662C000-memory.dmp

Filesize
624KB

Download
memory/3896-1-0x000002795EE90000-0x000002795EED1000-memory.dmp

Filesize
260KB

Download
memory/3896-46-0x00007FFD8EED0000-0x00007FFD8F01A000-memory.dmp

Filesize
1.3MB

Download
memory/3896-52-0x00007FFD86590000-0x00007FFD8662C000-memory.dmp

Filesize
624KB

Download
memory/3896-50-0x00007FFD86630000-0x00007FFD86693000-memory.dmp

Filesize
396KB

Download
memory/3896-21-0x0000027977910000-0x0000027977D42000-memory.dmp

Filesize
4.2MB

Download
memory/3896-57-0x00007FFD72670000-0x00007FFD7305C000-memory.dmp

Filesize
9.9MB

Download
memory/3896-44-0x00007FFD8C840000-0x00007FFD8C867000-memory.dmp

Filesize
156KB

Download
memory/3896-20-0x00007FFD8A6B0000-0x00007FFD8A6C4000-memory.dmp

Filesize
80KB

Download
memory/3896-19-0x000002795EFD0000-0x000002795EFE0000-memory.dmp

Filesize
64KB

Download
memory/3896-8-0x00007FFD8CEC0000-0x00007FFD8CF5D000-memory.dmp

Filesize
628KB

Download
memory/3896-11-0x00007FFD8EED0000-0x00007FFD8F01A000-memory.dmp

Filesize
1.3MB

Download
memory/3896-72-0x00007FFD8C720000-0x00007FFD8C776000-memory.dmp

Filesize
344KB

Download
memory/3896-0-0x0000000000E00000-0x0000000001280000-memory.dmp

Filesize
4.5MB

Download
memory/3896-61-0x00007FFD8C920000-0x00007FFD8CA63000-memory.dmp

Filesize
1.3MB

Download
memory/3896-63-0x00007FFD83980000-0x00007FFD83AAC000-memory.dmp

Filesize
1.2MB

Download
memory/3896-65-0x00007FFD8B560000-0x00007FFD8B585000-memory.dmp

Filesize
148KB

Download
memory/3896-10-0x00007FFD8C840000-0x00007FFD8C867000-memory.dmp

Filesize
156KB

Download
memory/3896-70-0x00007FFD8C4E0000-0x00007FFD8C6A9000-memory.dmp

Filesize
1.8MB

Download
memory/3896-67-0x00007FFD8A6B0000-0x00007FFD8A6C4000-memory.dmp

Filesize
80KB

Download
memory/3896-37-0x00007FFD8E6B0000-0x00007FFD8E7D5000-memory.dmp

Filesize
1.1MB

Download
memory/3896-77-0x000002795EE90000-0x000002795EED1000-memory.dmp

Filesize
260KB

Download
memory/3896-33-0x00007FFD8C870000-0x00007FFD8C91E000-memory.dmp

Filesize
696KB

Download
memory/3896-18-0x00007FFD8B560000-0x00007FFD8B585000-memory.dmp

Filesize
148KB

Download
memory/3896-32-0x00007FFD8F220000-0x00007FFD8F3FB000-memory.dmp

Filesize
1.9MB

Download
memory/3896-16-0x00007FFD83980000-0x00007FFD83AAC000-memory.dmp

Filesize
1.2MB

Download
memory/3896-15-0x0000000000E00000-0x0000000001280000-memory.dmp

Filesize
4.5MB

Download
memory/3896-14-0x00007FFD72670000-0x00007FFD7305C000-memory.dmp

Filesize
9.9MB

Download
memory/3896-13-0x00007FFD83BD0000-0x00007FFD83CC7000-memory.dmp

Filesize
988KB

Download
memory/3896-12-0x00007FFD8B720000-0x00007FFD8B731000-memory.dmp

Filesize
68KB

Download
memory/3896-54-0x00007FFD7E490000-0x00007FFD7E49A000-memory.dmp

Filesize
40KB

Download
memory/4344-71-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4344-30-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4344-28-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4344-29-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/4344-59-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download