bitrat | bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

586f79d31e3b60f3737c247810e56612.exe
Size

1.8MB
MD5

586f79d31e3b60f3737c247810e56612
SHA1

ec148bed94d3a4e9dabe517533a74b6021d02fef
SHA256

bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485
SHA512

0c72552226bebd0b71e789a875693fd157c3071e14ca5abebdb54e1d6cddb326be0db3a7c37957ab0b1a1cf090e3784c09e5085c1e322e16e9984c5e9af5142b
SSDEEP

49152:V2GnkYpnt6j4Va7ep3sQDHDdtf4NN3cpbV:Vk0y4VoeN1DLfiKbV

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

eter102.dvrlists.com:3050

Attributes

communication_password
fea0f7015af40ae69a386f06f28a8d31
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/1392-52-0x0000000005FE0000-0x0000000006058000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-72-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-90-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-110-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-116-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-114-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-112-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-108-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-106-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-104-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-102-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-100-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-98-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-96-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-94-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-92-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-88-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-86-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-84-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-82-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-80-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-78-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-76-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-74-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-70-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-68-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-66-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-64-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-62-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-60-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-58-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-56-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-54-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1
behavioral2/memory/1392-53-0x0000000005FE0000-0x0000000006052000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	586f79d31e3b60f3737c247810e56612.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4204-2406-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4204-2455-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\outlook = "\"C:\\Users\\Admin\\AppData\\Roaming\\outlook.exe\""	586f79d31e3b60f3737c247810e56612.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4204	586f79d31e3b60f3737c247810e56612.exe
4204	586f79d31e3b60f3737c247810e56612.exe
4204	586f79d31e3b60f3737c247810e56612.exe
4204	586f79d31e3b60f3737c247810e56612.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	586f79d31e3b60f3737c247810e56612.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
460	powershell.exe
460	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
1392	586f79d31e3b60f3737c247810e56612.exe
1392	586f79d31e3b60f3737c247810e56612.exe
752	powershell.exe
752	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	powershell.exe
Token: SeSecurityPrivilege	460	powershell.exe
Token: SeTakeOwnershipPrivilege	460	powershell.exe
Token: SeLoadDriverPrivilege	460	powershell.exe
Token: SeSystemProfilePrivilege	460	powershell.exe
Token: SeSystemtimePrivilege	460	powershell.exe
Token: SeProfSingleProcessPrivilege	460	powershell.exe
Token: SeIncBasePriorityPrivilege	460	powershell.exe
Token: SeCreatePagefilePrivilege	460	powershell.exe
Token: SeBackupPrivilege	460	powershell.exe
Token: SeRestorePrivilege	460	powershell.exe
Token: SeShutdownPrivilege	460	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeSystemEnvironmentPrivilege	460	powershell.exe
Token: SeRemoteShutdownPrivilege	460	powershell.exe
Token: SeUndockPrivilege	460	powershell.exe
Token: SeManageVolumePrivilege	460	powershell.exe
Token: 33	460	powershell.exe
Token: 34	460	powershell.exe
Token: 35	460	powershell.exe
Token: 36	460	powershell.exe
Token: SeIncreaseQuotaPrivilege	460	powershell.exe
Token: SeSecurityPrivilege	460	powershell.exe
Token: SeTakeOwnershipPrivilege	460	powershell.exe
Token: SeLoadDriverPrivilege	460	powershell.exe
Token: SeSystemProfilePrivilege	460	powershell.exe
Token: SeSystemtimePrivilege	460	powershell.exe
Token: SeProfSingleProcessPrivilege	460	powershell.exe
Token: SeIncBasePriorityPrivilege	460	powershell.exe
Token: SeCreatePagefilePrivilege	460	powershell.exe
Token: SeBackupPrivilege	460	powershell.exe
Token: SeRestorePrivilege	460	powershell.exe
Token: SeShutdownPrivilege	460	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeSystemEnvironmentPrivilege	460	powershell.exe
Token: SeRemoteShutdownPrivilege	460	powershell.exe
Token: SeUndockPrivilege	460	powershell.exe
Token: SeManageVolumePrivilege	460	powershell.exe
Token: 33	460	powershell.exe
Token: 34	460	powershell.exe
Token: 35	460	powershell.exe
Token: 36	460	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3476	powershell.exe
Token: SeSecurityPrivilege	3476	powershell.exe
Token: SeTakeOwnershipPrivilege	3476	powershell.exe
Token: SeLoadDriverPrivilege	3476	powershell.exe
Token: SeSystemProfilePrivilege	3476	powershell.exe
Token: SeSystemtimePrivilege	3476	powershell.exe
Token: SeProfSingleProcessPrivilege	3476	powershell.exe
Token: SeIncBasePriorityPrivilege	3476	powershell.exe
Token: SeCreatePagefilePrivilege	3476	powershell.exe
Token: SeBackupPrivilege	3476	powershell.exe
Token: SeRestorePrivilege	3476	powershell.exe
Token: SeShutdownPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeSystemEnvironmentPrivilege	3476	powershell.exe
Token: SeRemoteShutdownPrivilege	3476	powershell.exe
Token: SeUndockPrivilege	3476	powershell.exe
Token: SeManageVolumePrivilege	3476	powershell.exe
Token: 33	3476	powershell.exe
Token: 34	3476	powershell.exe
Token: 35	3476	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4204	586f79d31e3b60f3737c247810e56612.exe
4204	586f79d31e3b60f3737c247810e56612.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 460	1392	586f79d31e3b60f3737c247810e56612.exe	91
PID 1392 wrote to memory of 460	1392	586f79d31e3b60f3737c247810e56612.exe	91
PID 1392 wrote to memory of 460	1392	586f79d31e3b60f3737c247810e56612.exe	91
PID 1392 wrote to memory of 3476	1392	586f79d31e3b60f3737c247810e56612.exe	98
PID 1392 wrote to memory of 3476	1392	586f79d31e3b60f3737c247810e56612.exe	98
PID 1392 wrote to memory of 3476	1392	586f79d31e3b60f3737c247810e56612.exe	98
PID 1392 wrote to memory of 3136	1392	586f79d31e3b60f3737c247810e56612.exe	107
PID 1392 wrote to memory of 3136	1392	586f79d31e3b60f3737c247810e56612.exe	107
PID 1392 wrote to memory of 3136	1392	586f79d31e3b60f3737c247810e56612.exe	107
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 1392 wrote to memory of 4204	1392	586f79d31e3b60f3737c247810e56612.exe	108
PID 3136 wrote to memory of 752	3136	WScript.exe	109
PID 3136 wrote to memory of 752	3136	WScript.exe	109
PID 3136 wrote to memory of 752	3136	WScript.exe	109

C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
"C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
  C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
5b1ee9554b62a707a61e0ac7bb847b32

SHA1
c1d1ec7a74de9d34712dde2f0b28205b92230985

SHA256
42078ab3e14d24babb39b4b2151926a93190d5c4cd07667b3c24a228cdc3c3dd

SHA512
8003359d4549133e292a0dd797a9837a92a01c1913abc93ca8b5b1e17bb02760dbc668a50775f84ab09f846738a0c52839b03bc8a104f59cc07804fa20bf2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs

Filesize
137B

MD5
41c8a8551ff6fc7a2b9aadcff976ca0f

SHA1
444db8be2af0b1128229ac46e4963e0570159c3c

SHA256
bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

SHA512
b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

Download Submit
memory/460-28-0x0000000006340000-0x0000000006362000-memory.dmp

Filesize
136KB

Download
memory/460-12-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/460-25-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/460-9-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/460-27-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/460-13-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/460-23-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/460-29-0x0000000008010000-0x000000000868A000-memory.dmp

Filesize
6.5MB

Download
memory/460-24-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/460-32-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/460-11-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/460-8-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/460-7-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/460-6-0x0000000002520000-0x0000000002556000-memory.dmp

Filesize
216KB

Download
memory/460-26-0x0000000006D90000-0x0000000006E26000-memory.dmp

Filesize
600KB

Download
memory/460-10-0x0000000004F20000-0x0000000005548000-memory.dmp

Filesize
6.2MB

Download
memory/752-2409-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/752-2440-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

Filesize
80KB

Download
memory/752-2435-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/752-2437-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/752-2422-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/752-2423-0x0000000070C00000-0x0000000070C4C000-memory.dmp

Filesize
304KB

Download
memory/752-2438-0x0000000007A70000-0x0000000007A81000-memory.dmp

Filesize
68KB

Download
memory/752-2441-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/752-2434-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/752-2433-0x0000000006B00000-0x0000000006B1E000-memory.dmp

Filesize
120KB

Download
memory/752-2439-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

Filesize
56KB

Download
memory/752-2436-0x00000000077C0000-0x0000000007863000-memory.dmp

Filesize
652KB

Download
memory/752-2407-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/752-2421-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/752-2408-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/752-2419-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/752-2444-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/752-2442-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/1392-92-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-106-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-102-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-100-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-98-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-96-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-94-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-2-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/1392-88-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-86-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-84-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-82-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-80-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-78-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-76-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-74-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-70-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-68-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-66-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-64-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-62-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-60-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-58-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-56-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-54-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-53-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-51-0x00000000060C0000-0x0000000006274000-memory.dmp

Filesize
1.7MB

Download
memory/1392-104-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-1-0x0000000000230000-0x0000000000402000-memory.dmp

Filesize
1.8MB

Download
memory/1392-2405-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1392-108-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-112-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-114-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-116-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-110-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-90-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-72-0x0000000005FE0000-0x0000000006052000-memory.dmp

Filesize
456KB

Download
memory/1392-52-0x0000000005FE0000-0x0000000006058000-memory.dmp

Filesize
480KB

Download
memory/1392-0-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1392-48-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1392-47-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1392-3-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/1392-4-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1392-5-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/3476-36-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3476-35-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3476-34-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3476-50-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/4204-2406-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4204-2446-0x0000000074C70000-0x0000000074CA9000-memory.dmp

Filesize
228KB

Download
memory/4204-2454-0x0000000075010000-0x0000000075049000-memory.dmp

Filesize
228KB

Download
memory/4204-2455-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4204-2458-0x0000000075010000-0x0000000075049000-memory.dmp

Filesize
228KB

Download
memory/4204-2461-0x0000000075010000-0x0000000075049000-memory.dmp

Filesize
228KB

Download