discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1221895306933833802/1221898554881212558/Client-built[.]rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&

Analysis

max time kernel
46s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMTg5NTk3MTUyNTQ5NjkxMg.G_X-be.E8sJUVwetw4JXRkXLSkoeawb2aYJtgn7GPPHtU
server_id
1221895306120265778

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
5712	Client-built.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client-built.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4432	firefox.exe
Token: SeDebugPrivilege	4432	firefox.exe
Token: SeDebugPrivilege	4432	firefox.exe
Token: SeRestorePrivilege	5428	7zG.exe
Token: 35	5428	7zG.exe
Token: SeSecurityPrivilege	5428	7zG.exe
Token: SeSecurityPrivilege	5428	7zG.exe
Token: SeDebugPrivilege	5712	Client-built.exe
Token: SeDebugPrivilege	6016	taskmgr.exe
Token: SeSystemProfilePrivilege	6016	taskmgr.exe
Token: SeCreateGlobalPrivilege	6016	taskmgr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4432	firefox.exe
4432	firefox.exe
4432	firefox.exe
4432	firefox.exe
5428	7zG.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
4432	firefox.exe
4432	firefox.exe
4432	firefox.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe
6016	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4432	firefox.exe
4432	firefox.exe
4432	firefox.exe
4432	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 2396 wrote to memory of 4432	2396	firefox.exe	88
PID 4432 wrote to memory of 4520	4432	firefox.exe	89
PID 4432 wrote to memory of 4520	4432	firefox.exe	89
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 844	4432	firefox.exe	90
PID 4432 wrote to memory of 5040	4432	firefox.exe	91
PID 4432 wrote to memory of 5040	4432	firefox.exe	91
PID 4432 wrote to memory of 5040	4432	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.0.1577052757\1668171635" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d34ca7b-971c-46bd-aabc-ab232ddf3f9b} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 1952 1a61b4db458 gpu
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.1.1661933245\1301339035" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85625ac-c9b0-4495-b732-3dc743303eca} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 2428 1a60e5ece58 socket
    3⤵
    PID:844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.2.1232387339\920252788" -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5ec2cd-4cc9-4dd0-af4b-57600ecc8be3} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 3096 1a61eee5758 tab
    3⤵
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.3.770715586\1806165305" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ac22b2d-1820-4338-811c-692dedaa0ee4} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 3428 1a61d8b7a58 tab
    3⤵
    PID:1788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.4.1844973132\208204205" -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 4392 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3102cadd-0edc-4ed8-9ee5-14c3ab7f6d38} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5408 1a60e569658 tab
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.5.598913774\1512322779" -childID 4 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aa83c0a-236d-4af9-8681-c59d6f5bc9b3} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5544 1a62219f458 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.6.1095825991\809794408" -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2868ae3b-19a4-43a0-a9b6-f9f6e2773f81} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5744 1a62219fd58 tab
    3⤵
    PID:5112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Client-built\" -spe -an -ai#7zMap16888:86:7zEvent16521
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5428

C:\Users\Admin\Downloads\Client-built\Client-built.exe
"C:\Users\Admin\Downloads\Client-built\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8b74f0369b5414ad0603a42eca47d72f

SHA1
3a8bdd9428e635f6115e11579facaf13afc41994

SHA256
953d25d94989a86099c68ea542074512f3eb5736f0a9a49cb1c080a837f34297

SHA512
b237cacda7647b93cebd7d43938b0f2f0fa3f63f20e6da27670d0b7ed472e6fa131fb0277261a95c47062bb2e6020a57a0dc7e58c6963c5bb8130f3726e37199

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\7dc57f6b-3049-444e-a94c-e41fee7c672a

Filesize
11KB

MD5
496c98147e960b26fd82299da1db5f59

SHA1
8178ab43d6bbc41ce1e4555dc59fbe141327150f

SHA256
9452fe018f33fa9af3c97399acab7b0bf1287e49e0b160c4b76c877e8004243b

SHA512
8abf16ead568adf7d4421518ed8630ea98fde5a5f39f4e004a096978701e5b90044e7a9265c44e0b5c40ac1e4704eaa397beba4dbfe263d0921ae002520d8f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\ca2e6c91-e6c2-4970-b465-ad2be9daf8f5

Filesize
746B

MD5
fceb4dfc1b19de4990e87460f6271c6c

SHA1
24254531e8aa5a8f616cb4734551d37009df0410

SHA256
37021217278793751ebbeee9dcab00baa5f8fa9b399a86bf93b3eacd85ab2c03

SHA512
17c6adcea7bf4fb74c75139552d7ee144e5071038e5c969aee22df18538bcd05aaa5886f8def709802184976d48c527cdde97b0f135c2ec22c453bbe2f0fdb72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
14954438b03539a1344050c31f6235d4

SHA1
c2bc51be3a7c9d29aa58d5def238be22c2f72f30

SHA256
4f42b2251ae795745091693dd5636e05c4749393f11e651c0a64f1b9d92740c5

SHA512
68985ad323491644f4a7b085c2a9cf0a15bda063e5c5a5d1d88c731a3dc2fd0938903b4a7c4f3f7b6a93eddd33e28439e6fc7044055563fea459b9dee67a78cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
58ce08cd9930c4c2be1b3af7137b1b07

SHA1
cccd94d643cfb765837514f4ee4bf08aadbbe1a2

SHA256
9a2949c02b2c7638e7ac9efe66eab6a192bc91e5e34c5c74468da3d2d59a61ba

SHA512
1f53707fbf7baac7662904f6466d731f1245901cde70afaeac160ab5c7b0990c57a5c9dfa70bd70eeaeb99590635d49e43425ea301528a0cd9ddbc7c8ffb7f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4b1375476c90d40fefae33dd5d14e4dc

SHA1
20b11313940517e4d7dc4e823e6d181e16fc60b8

SHA256
347864bb12f08057da0827efe8714be15d31d60fc3759e52c62fab2fb3eb88f5

SHA512
dd2bc6e389317bd5c1c5023c70649130aaf9097ff91af44ed3d575982806b0930a7ecb812b9ffbe23b77d6e9d5cef90303ab87d51818ac317ac66a158d7988a9

Download Submit
C:\Users\Admin\Downloads\Client-built\Client-built.exe

Filesize
78KB

MD5
c457f37d56b3dcae201872b6db4920e4

SHA1
274486769ff007717b29bb05512ddbe8f264b8dd

SHA256
d9b2081ba5292d8ddc0fa95e031a84be520c07aba878e169a0d3c8be10048a16

SHA512
d14328d8272bc2421606ee51336c9b10deaa514352751e9ee6827e259f078e87f58bbcf13930cb480a158fce191c99c1b4fb99172b1dc39991b2a95be529441a

Download Submit
C:\Users\Admin\Downloads\fviFdtjZ.rar.part

Filesize
26KB

MD5
9add42f59c08775d4837d367ad6ab39d

SHA1
178a554579ae84da18889444b7649695f85089a1

SHA256
f148119bf8c8ed3d9006b25c1ed94ff56a6a8c6506818f5c9e939dac085991f0

SHA512
deb273b9a8205632b71f1e31c18ea6090b711356f4d4148be3cd4db70c3459b174f9be49c1a021d0b71d4e23257a284da3e8ca20a150938fae9b61c33835a2d4

Download Submit
memory/5712-125-0x000001A92EAB0000-0x000001A92EFD8000-memory.dmp

Filesize
5.2MB

Download
memory/5712-122-0x000001A92E270000-0x000001A92E432000-memory.dmp

Filesize
1.8MB

Download
memory/5712-124-0x000001A92E150000-0x000001A92E160000-memory.dmp

Filesize
64KB

Download
memory/5712-123-0x00007FFDE7A20000-0x00007FFDE84E1000-memory.dmp

Filesize
10.8MB

Download
memory/5712-121-0x000001A913BD0000-0x000001A913BE8000-memory.dmp

Filesize
96KB

Download
memory/5712-145-0x000001A92E150000-0x000001A92E160000-memory.dmp

Filesize
64KB

Download
memory/5712-143-0x00007FFDE7A20000-0x00007FFDE84E1000-memory.dmp

Filesize
10.8MB

Download
memory/6016-137-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-136-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-132-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-139-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-140-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-141-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-142-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-138-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-131-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download
memory/6016-130-0x00000251FE560000-0x00000251FE561000-memory.dmp

Filesize
4KB

Download