darkgate | 846f339f39e82f358fe5d0985afde119563754c9a8030dc237eac1a963a8bbf4

Analysis

max time kernel
884s
max time network
893s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08-02-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

independert.msi
Size

4.0MB
MD5

484bea10f5d2a0c4bdfa342e133033c6
SHA1

6860971d489198df13c64a295999ba3cc7c9c654
SHA256

846f339f39e82f358fe5d0985afde119563754c9a8030dc237eac1a963a8bbf4
SHA512

ce74de9217edd30ad96e00dea9ac8783284c26f93e7271f45e406880b46dbdcf8d71feafa26881d069b8b20b62e66e4a0fc3ccd428512fa45af319663720f20e
SSDEEP

49152:bpUPCczdSZ4Yx87nxODZGMFLnd8q67DZQlXvAoxS1mvXpiIg7W:bpSBx7nxOtFjOq67DcO1mh

Score

10^/10

darkgate discovery stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 1 IoCs

resource	yara_rule
behavioral1/memory/2024-116-0x0000000005DA0000-0x00000000060EE000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1040	ICACLS.EXE
2628	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e580d88.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e580d88.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4475B07E-B24B-45AB-9BE0-ED99A7F14744}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E53.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE

Executes dropped EXE 2 IoCs

pid	Process
3572	apdproxy.exe
2024	Autoit3.exe

Loads dropped DLL 5 IoCs

pid	Process
3280	MsiExec.exe
3572	apdproxy.exe
3572	apdproxy.exe
3572	apdproxy.exe
3280	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4476	msiexec.exe
4476	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeSecurityPrivilege	4476	msiexec.exe
Token: SeCreateTokenPrivilege	632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	632	msiexec.exe
Token: SeLockMemoryPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeMachineAccountPrivilege	632	msiexec.exe
Token: SeTcbPrivilege	632	msiexec.exe
Token: SeSecurityPrivilege	632	msiexec.exe
Token: SeTakeOwnershipPrivilege	632	msiexec.exe
Token: SeLoadDriverPrivilege	632	msiexec.exe
Token: SeSystemProfilePrivilege	632	msiexec.exe
Token: SeSystemtimePrivilege	632	msiexec.exe
Token: SeProfSingleProcessPrivilege	632	msiexec.exe
Token: SeIncBasePriorityPrivilege	632	msiexec.exe
Token: SeCreatePagefilePrivilege	632	msiexec.exe
Token: SeCreatePermanentPrivilege	632	msiexec.exe
Token: SeBackupPrivilege	632	msiexec.exe
Token: SeRestorePrivilege	632	msiexec.exe
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeDebugPrivilege	632	msiexec.exe
Token: SeAuditPrivilege	632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	632	msiexec.exe
Token: SeChangeNotifyPrivilege	632	msiexec.exe
Token: SeRemoteShutdownPrivilege	632	msiexec.exe
Token: SeUndockPrivilege	632	msiexec.exe
Token: SeSyncAgentPrivilege	632	msiexec.exe
Token: SeEnableDelegationPrivilege	632	msiexec.exe
Token: SeManageVolumePrivilege	632	msiexec.exe
Token: SeImpersonatePrivilege	632	msiexec.exe
Token: SeCreateGlobalPrivilege	632	msiexec.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeBackupPrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeTakeOwnershipPrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeTakeOwnershipPrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeTakeOwnershipPrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeTakeOwnershipPrivilege	4476	msiexec.exe
Token: SeBackupPrivilege	4512	srtasks.exe
Token: SeRestorePrivilege	4512	srtasks.exe
Token: SeSecurityPrivilege	4512	srtasks.exe
Token: SeTakeOwnershipPrivilege	4512	srtasks.exe
Token: SeBackupPrivilege	4512	srtasks.exe
Token: SeRestorePrivilege	4512	srtasks.exe
Token: SeSecurityPrivilege	4512	srtasks.exe
Token: SeTakeOwnershipPrivilege	4512	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
632	msiexec.exe
632	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 4512	4476	msiexec.exe	77
PID 4476 wrote to memory of 4512	4476	msiexec.exe	77
PID 4476 wrote to memory of 3280	4476	msiexec.exe	79
PID 4476 wrote to memory of 3280	4476	msiexec.exe	79
PID 4476 wrote to memory of 3280	4476	msiexec.exe	79
PID 3280 wrote to memory of 1040	3280	MsiExec.exe	80
PID 3280 wrote to memory of 1040	3280	MsiExec.exe	80
PID 3280 wrote to memory of 1040	3280	MsiExec.exe	80
PID 3280 wrote to memory of 1672	3280	MsiExec.exe	82
PID 3280 wrote to memory of 1672	3280	MsiExec.exe	82
PID 3280 wrote to memory of 1672	3280	MsiExec.exe	82
PID 3280 wrote to memory of 3572	3280	MsiExec.exe	84
PID 3280 wrote to memory of 3572	3280	MsiExec.exe	84
PID 3280 wrote to memory of 3572	3280	MsiExec.exe	84
PID 3572 wrote to memory of 2024	3572	apdproxy.exe	85
PID 3572 wrote to memory of 2024	3572	apdproxy.exe	85
PID 3572 wrote to memory of 2024	3572	apdproxy.exe	85
PID 3280 wrote to memory of 2628	3280	MsiExec.exe	86
PID 3280 wrote to memory of 2628	3280	MsiExec.exe	86
PID 3280 wrote to memory of 2628	3280	MsiExec.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\independert.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1AB01C2F0880A19B72B9F411FD4D1990
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1040
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\apdproxy.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\apdproxy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2024
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files.cab

Filesize
3.7MB

MD5
b5a1995210150c6e9d362e967d83b590

SHA1
f4642b8b5e125863cea56196b584cefa5861aebd

SHA256
e0a36182df70d6af3289ea7c430874b8281db531c767beab5131f6726f5635a2

SHA512
94ad3c4e539ef8cb50dfb81e4c1ca6ffeb3da18718c40a77b0c160354b7994896b54edc8ec94a552395d7fd529d95bc16e4e5baedd8c91a8fdb8777c85e00901

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\apdboot.dll

Filesize
931KB

MD5
7514fa4d5d1162f631ed5fea0884c0f4

SHA1
a39e56a89b546b1ad55e531e62240586b9489234

SHA256
e1f5396d6c9e0d82c45fb48c723460709706398078546bca83e123ca9eb4036f

SHA512
5822def0a35098f80cd570f79a848b639681d21eae4c79479e562907c58c42a218ba786df7ab328532dee1e8f6bc3a7da5c1529f17b93d759df328603ec02b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\apdproxy.exe

Filesize
62KB

MD5
fc9e59fe8bc4fe05382cff5c8fc59de1

SHA1
69423bc900644a910936d2c5828348d188e5d750

SHA256
a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

SHA512
1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\sqlite3.dll

Filesize
1.9MB

MD5
4bf9a5f13e33c3dcecbe82dc1fec647d

SHA1
1e42b49470db763528f6ba7380aa9e3fedb03949

SHA256
3c3015717fec9fcb191b2722efe58fed15c89d553532fe9ba3b6393661aa365e

SHA512
3a5d1f605056db1072d310a7c4a9df84952a816e994d6dd64a734e3bd7faf96a7fedfba0e0a96128acab6adc8e6430dd95a30a49abbf0f5a7fc9c0b68c69d75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\msiwrapper.ini

Filesize
1KB

MD5
725844acc7e20878ee2a26e1c50040e9

SHA1
a8231694a0e52bcdd83cf1b7adc0070ccff43539

SHA256
b5312ca801fc5dd4011688f960a15a4e7a981b187b05c74d0b53e8b9b9e01e3f

SHA512
861aca65a060a5887a33fea96481f1fed05043e07a744e33393e692ab24f9339224010a17dabbe6c38954a817d778f7ced955ff60c803c05756bd97df98c62a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\msiwrapper.ini

Filesize
440B

MD5
286c6fee14c10861b59a8c23bf2f2955

SHA1
b70520b9f8acfcf0ce3f470445a1a71a0ec91d56

SHA256
677d81e37398cd91772c662a02ce543444c0db640e09b9ec912b50170a21aa38

SHA512
333d06cfb312a4204fd755ab29f13e181971191d7880044d75ede304a1c9cb05880ef8bab49c0fa884d8b62e9ae5f94090d686c951e0357769bb5d25b9ecf17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\msiwrapper.ini

Filesize
1KB

MD5
ef385aea18b57cefd1af6f633ce1b755

SHA1
b5933ae051442cd061449a15337a5c1c4824f6f4

SHA256
eaeb382016bc28a4d6c650481701ca10b817094cc7cc3ffdcab5e8cc8aa30475

SHA512
1805f290d4e01b0876730f8158581a9d8269dc2b6a38e815779a366c8bce3f3dd8255a34422ee724043cc0ef4c41fe878b3283489cf67fedc736bf386d5f938d

Download Submit
C:\Windows\Installer\MSIF4D.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
01242f476050982645614525d9a86d40

SHA1
42e52e7eef220db14b97592a95e26aeb5d576caf

SHA256
38023244b96a49d70aea761d64aa4c27fdfdb6b72727e7baaba52a79f1db8fd4

SHA512
13f68066cb6fe85e19e42e04b76c782b280fa22f4f9523e6e970c49d8acd7e8114ede5623bed6c81f9e62a428bae094f4136ee8b50e5f0c32bc704519e8610b1

Download Submit
\??\Volume{eeeaf00d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4cc560cb-51d4-4a3e-a2e1-b790abcd1c3f}_OnDiskSnapshotProp

Filesize
5KB

MD5
e8742601dc34284899a62e87b41ee0b7

SHA1
9a0d62258c9441f02479482f11b276e4b197d9e8

SHA256
73bef6c44bb75f0bef3f9075ff0c84e5eb382d51a1d5d06797d4264cf3dd4152

SHA512
bf14fdfac1702425b3e1e57342944d051417a96b6d406ccd3d812981b29109c89bc76dc7ac4c3be04533d2b596d6bd1f865706bbe63bf3eb4e6b7f931e2ed9e1

Download Submit
\??\c:\temp\script.au3

Filesize
910KB

MD5
5ae10e98b7f01a0433b18c66dd7ff7d3

SHA1
7043ab94fcd76c9a7afb91e2adae691358796eb5

SHA256
c83870e8f4884f6653ad7fe43d43e9ab8d6c8b3c295d10f1f1921acd8f1e42a8

SHA512
4c337d91ca76844dbebd186df0a165efea46a0234b8472f7b4fcc9c844917eb7a8449fc3e3e9006e8f5ad3e1df716d19f7dd212cfdf44268caaa3ea72f53aeb8

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
af2e30edcb89c0b9ca2bc4ccc519e5b0

SHA1
c93d528cd43890fef9841708a825b02133a07734

SHA256
f8b5bfd9bff557bcd6326949ad261e74edc463350a276fb080a250f76284de45

SHA512
4279afcf1f76d411b766e51ee207b8cb5dc5914c409359387b74ed0fc1f26db134592fdd4030b650e05d7fd7f7d5ffb4c0d5f3e67b548c224fa910b880db35d8

Download Submit
\Users\Admin\AppData\Local\Temp\MW-62d3174a-b188-43c9-955a-1641571b5b0e\files\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
memory/2024-116-0x0000000005DA0000-0x00000000060EE000-memory.dmp

Filesize
3.3MB

Download
memory/2024-111-0x0000000004600000-0x00000000055D0000-memory.dmp

Filesize
15.8MB

Download
memory/3572-93-0x0000000002570000-0x0000000002763000-memory.dmp

Filesize
1.9MB

Download
memory/3572-101-0x0000000002570000-0x0000000002763000-memory.dmp

Filesize
1.9MB

Download
memory/3572-99-0x0000000072930000-0x0000000072A24000-memory.dmp

Filesize
976KB

Download