bitrat | 1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
Size

2.7MB
MD5

5df4f8f8a7a896fad462276803c89857
SHA1

ab113df31bb37cdb727f3ea3c6e9cc397e5be80e
SHA256

1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef
SHA512

08a63d53836e37a7971f76dc1e60be44ec073bdd11cbf3eb9f9dac9d1c8e1a4fa7a83c38dff972c8febad82f53b3c85f0db548664851fe7b5d60b05999ec13ee
SSDEEP

24576:aju8SpOfT+Z8fDTuvlzq3ae70J6ImfeSnPlAVMRNJhpEx4oQp3d2TX9iSghV+3Ol:NOfHfvu9qakj+aRXEx4LV+3OvS

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

aaaxxx60.hopto.org:100

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	hvh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	poum.exe

Executes dropped EXE 5 IoCs

pid	Process
2368	hvh.exe
4360	mscorsvw.exe
4468	poum.exe
4168	poum.exe
1968	mscorsvw.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4360-32-0x0000000000530000-0x0000000000914000-memory.dmp	upx
behavioral2/memory/4360-29-0x0000000000530000-0x0000000000914000-memory.dmp	upx
behavioral2/memory/1968-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1968-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cghvjh = "C:\\Users\\Admin\\AppData\\Roaming\\hvh.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 4360	2368	hvh.exe	117
PID 2368 set thread context of 1968	2368	hvh.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
212	4360	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4524	cmd.exe
2960	PING.EXE
4144	cmd.exe
2904	PING.EXE
1096	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2904	PING.EXE
1096	PING.EXE
2960	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
2368	hvh.exe
2368	hvh.exe
2368	hvh.exe
4468	poum.exe
4168	poum.exe
4168	poum.exe
4168	poum.exe
2368	hvh.exe
2368	hvh.exe
2368	hvh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
Token: SeDebugPrivilege	2368	hvh.exe
Token: SeDebugPrivilege	4468	poum.exe
Token: SeDebugPrivilege	4168	poum.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4524	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	89
PID 2780 wrote to memory of 4524	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	89
PID 2780 wrote to memory of 4524	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	89
PID 4524 wrote to memory of 2960	4524	cmd.exe	91
PID 4524 wrote to memory of 2960	4524	cmd.exe	91
PID 4524 wrote to memory of 2960	4524	cmd.exe	91
PID 2780 wrote to memory of 4144	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	104
PID 2780 wrote to memory of 4144	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	104
PID 2780 wrote to memory of 4144	2780	1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe	104
PID 4144 wrote to memory of 2904	4144	cmd.exe	106
PID 4144 wrote to memory of 2904	4144	cmd.exe	106
PID 4144 wrote to memory of 2904	4144	cmd.exe	106
PID 4524 wrote to memory of 4288	4524	cmd.exe	113
PID 4524 wrote to memory of 4288	4524	cmd.exe	113
PID 4524 wrote to memory of 4288	4524	cmd.exe	113
PID 4144 wrote to memory of 1096	4144	cmd.exe	115
PID 4144 wrote to memory of 1096	4144	cmd.exe	115
PID 4144 wrote to memory of 1096	4144	cmd.exe	115
PID 4144 wrote to memory of 2368	4144	cmd.exe	116
PID 4144 wrote to memory of 2368	4144	cmd.exe	116
PID 4144 wrote to memory of 2368	4144	cmd.exe	116
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 4360	2368	hvh.exe	117
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 1968	2368	hvh.exe	121
PID 2368 wrote to memory of 4468	2368	hvh.exe	122
PID 2368 wrote to memory of 4468	2368	hvh.exe	122
PID 2368 wrote to memory of 4468	2368	hvh.exe	122
PID 4468 wrote to memory of 4168	4468	poum.exe	123
PID 4468 wrote to memory of 4168	4468	poum.exe	123
PID 4468 wrote to memory of 4168	4468	poum.exe	123

C:\Users\Admin\AppData\Local\Temp\1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe
"C:\Users\Admin\AppData\Local\Temp\1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cghvjh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hvh.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 38
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "cghvjh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hvh.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4288
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef.exe" "C:\Users\Admin\AppData\Roaming\hvh.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\hvh.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2904
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1096
- - C:\Users\Admin\AppData\Roaming\hvh.exe
    "C:\Users\Admin\AppData\Roaming\hvh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
      "C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
      4⤵
      Executes dropped EXE
      PID:4360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 236
        5⤵
        Program crash
        
        PID:212
  - - C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
      "C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\poum.exe
      "C:\Users\Admin\AppData\Local\Temp\poum.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\poum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\poum.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4360 -ip 4360
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poum.exe.log

Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe

Filesize
131KB

MD5
8ea79e659da869468746abe850d67996

SHA1
c4d483ac89670539592d1b73733c25fb4fe3f574

SHA256
7d8d8696acd1815316174fba563f2e2ad0be3b5e9c6a28e237f9131a41067169

SHA512
f7d62ffa3f0cd1e3e8a163ee2d724854f749ece3169180f573ca683f2641519e8c7fc4308e0e4cc362a78f40640649d2f251ff0e35cd1e1710f810d79b7512b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\poum.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\poum.txt

Filesize
49B

MD5
050ce52f77641cc8a8a82b848882aaa0

SHA1
99810c55fba2f3e902fc8d1f5797629a2b784669

SHA256
7f90aa7668d189d3d00986fae2efdc57cfd275a079225aacab5137adf0198612

SHA512
dd94b41f60e3930c126b304225041a43c8b4fb9695b2d49d2a91304cd319a1ac8200c1aab4aeebb04fda62d774ceef87dd01d171b3f8d6ee788a9a72ce15d5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\poum.txt

Filesize
52B

MD5
2a4a65a8e2414e43b0604f779a9cbb26

SHA1
2c1890def36ca8a4ffaa167d6d39bddfd6882bce

SHA256
34ed94e068b25c5cd511c318d2c87c84fd36daabdda5dfba5d2957a7d50af3f7

SHA512
f8473dce9f6e40c54045d26da550f930d167b904946e2d45d6e5921aa5c1035ca1809e48205dc1c524a43f18913b5ac60b93f91951eca2ca44a49f4ce678ce4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\poum.txt

Filesize
52B

MD5
c773972188aa33c18e561c231bd188c4

SHA1
cb3ad9535ab7fb5aad1a556a3996a845a675b947

SHA256
4dc4fdff6b28418852e4a652b48a1d44480865b5140364a81ba9f039fff3592c

SHA512
b618b1f587d1d88224788f4f43ad3d19ab3f29f7a2735af4b5922a967c1b6a174a1b038036a30b0bbc838042d19590011bcbc4e5d2b209294a81819cd750351a

Download Submit
C:\Users\Admin\AppData\Roaming\hvh.exe

Filesize
2.7MB

MD5
5df4f8f8a7a896fad462276803c89857

SHA1
ab113df31bb37cdb727f3ea3c6e9cc397e5be80e

SHA256
1b57c846642439e8075b62c48f9f308c599c2fc0c028631b9263e6724c64ecef

SHA512
08a63d53836e37a7971f76dc1e60be44ec073bdd11cbf3eb9f9dac9d1c8e1a4fa7a83c38dff972c8febad82f53b3c85f0db548664851fe7b5d60b05999ec13ee

Download Submit
memory/1968-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1968-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2368-23-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2368-27-0x0000000008A80000-0x0000000008AA2000-memory.dmp

Filesize
136KB

Download
memory/2368-26-0x0000000008690000-0x00000000089E4000-memory.dmp

Filesize
3.3MB

Download
memory/2368-25-0x000000000FAE0000-0x000000000FAE6000-memory.dmp

Filesize
24KB

Download
memory/2368-24-0x000000000D980000-0x000000000D99A000-memory.dmp

Filesize
104KB

Download
memory/2368-20-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2368-21-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2368-22-0x00000000054B0000-0x00000000054E2000-memory.dmp

Filesize
200KB

Download
memory/2780-8-0x000000000BCA0000-0x000000000BCAA000-memory.dmp

Filesize
40KB

Download
memory/2780-6-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/2780-12-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2780-11-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2780-10-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2780-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000000A80000-0x0000000000D36000-memory.dmp

Filesize
2.7MB

Download
memory/2780-2-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/2780-7-0x0000000005D50000-0x0000000005D66000-memory.dmp

Filesize
88KB

Download
memory/2780-3-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2780-14-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2780-5-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2780-4-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/4360-29-0x0000000000530000-0x0000000000914000-memory.dmp

Filesize
3.9MB

Download
memory/4360-32-0x0000000000530000-0x0000000000914000-memory.dmp

Filesize
3.9MB

Download
memory/4468-45-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download