darkgate | 6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe
Size

3.5MB
MD5

0bd370eef60a45fd61634df249b64b91
SHA1

6758f0170b8227ad373ec35e12e6f300f2f27b42
SHA256

6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
SHA512

b06159c59477dba32c69c53194e832ce2335d038761559328cb04f7f5286d4800fd68f9ac1d61f0063cb138e2e191876e13ab5ee0d03ca9bf44b70e086140f52
SSDEEP

49152:XwREDDMeGGezwQbVqL+ecrCkwYw4z0g3QjfkRiGqUydHeMxWrP+beY7UY714:XwREBGGezfI2hwYDzJQ7UqzdMwZgN

Score

10^/10

darkgate seeksoul discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

seeksoul

version6dkgate.duckdns.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
5864
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
hOTwjapB
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
seeksoul

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral2/memory/3628-15-0x00000000046D0000-0x00000000049C1000-memory.dmp	family_darkgate_v6
behavioral2/memory/3628-28-0x00000000046D0000-0x00000000049C1000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-31-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-38-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-39-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-40-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-37-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2180-41-0x0000000002F90000-0x0000000003732000-memory.dmp	family_darkgate_v6
behavioral2/memory/2268-42-0x00000000024F0000-0x0000000002C92000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3628 created 2872	3628	Autoit3.exe	50
PID 2180 created 5064	2180	GoogleUpdateCore.exe	81
PID 2180 created 3832	2180	GoogleUpdateCore.exe	59
PID 2180 created 2872	2180	GoogleUpdateCore.exe	50

Executes dropped EXE 2 IoCs

pid	Process
1348	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp
3628	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaadadh = "\"C:\\ProgramData\\cbhgcef\\Autoit3.exe\" C:\\ProgramData\\cbhgcef\\kabbcca.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaadadh = "\"C:\\ProgramData\\cbhgcef\\Autoit3.exe\" C:\\ProgramData\\cbhgcef\\kabbcca.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
3628	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3628	Autoit3.exe
3628	Autoit3.exe
3628	Autoit3.exe
3628	Autoit3.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2180	GoogleUpdateCore.exe
2268	GoogleUpdateCore.exe
2268	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4660	WMIC.exe
Token: SeSecurityPrivilege	4660	WMIC.exe
Token: SeTakeOwnershipPrivilege	4660	WMIC.exe
Token: SeLoadDriverPrivilege	4660	WMIC.exe
Token: SeSystemProfilePrivilege	4660	WMIC.exe
Token: SeSystemtimePrivilege	4660	WMIC.exe
Token: SeProfSingleProcessPrivilege	4660	WMIC.exe
Token: SeIncBasePriorityPrivilege	4660	WMIC.exe
Token: SeCreatePagefilePrivilege	4660	WMIC.exe
Token: SeBackupPrivilege	4660	WMIC.exe
Token: SeRestorePrivilege	4660	WMIC.exe
Token: SeShutdownPrivilege	4660	WMIC.exe
Token: SeDebugPrivilege	4660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4660	WMIC.exe
Token: SeRemoteShutdownPrivilege	4660	WMIC.exe
Token: SeUndockPrivilege	4660	WMIC.exe
Token: SeManageVolumePrivilege	4660	WMIC.exe
Token: 33	4660	WMIC.exe
Token: 34	4660	WMIC.exe
Token: 35	4660	WMIC.exe
Token: 36	4660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4660	WMIC.exe
Token: SeSecurityPrivilege	4660	WMIC.exe
Token: SeTakeOwnershipPrivilege	4660	WMIC.exe
Token: SeLoadDriverPrivilege	4660	WMIC.exe
Token: SeSystemProfilePrivilege	4660	WMIC.exe
Token: SeSystemtimePrivilege	4660	WMIC.exe
Token: SeProfSingleProcessPrivilege	4660	WMIC.exe
Token: SeIncBasePriorityPrivilege	4660	WMIC.exe
Token: SeCreatePagefilePrivilege	4660	WMIC.exe
Token: SeBackupPrivilege	4660	WMIC.exe
Token: SeRestorePrivilege	4660	WMIC.exe
Token: SeShutdownPrivilege	4660	WMIC.exe
Token: SeDebugPrivilege	4660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4660	WMIC.exe
Token: SeRemoteShutdownPrivilege	4660	WMIC.exe
Token: SeUndockPrivilege	4660	WMIC.exe
Token: SeManageVolumePrivilege	4660	WMIC.exe
Token: 33	4660	WMIC.exe
Token: 34	4660	WMIC.exe
Token: 35	4660	WMIC.exe
Token: 36	4660	WMIC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1348	4884	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe	84
PID 4884 wrote to memory of 1348	4884	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe	84
PID 4884 wrote to memory of 1348	4884	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe	84
PID 1348 wrote to memory of 3628	1348	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp	85
PID 1348 wrote to memory of 3628	1348	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp	85
PID 1348 wrote to memory of 3628	1348	6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp	85
PID 3628 wrote to memory of 2128	3628	Autoit3.exe	89
PID 3628 wrote to memory of 2128	3628	Autoit3.exe	89
PID 3628 wrote to memory of 2128	3628	Autoit3.exe	89
PID 2128 wrote to memory of 4660	2128	cmd.exe	91
PID 2128 wrote to memory of 4660	2128	cmd.exe	91
PID 2128 wrote to memory of 4660	2128	cmd.exe	91
PID 3628 wrote to memory of 2180	3628	Autoit3.exe	93
PID 3628 wrote to memory of 2180	3628	Autoit3.exe	93
PID 3628 wrote to memory of 2180	3628	Autoit3.exe	93
PID 3628 wrote to memory of 2180	3628	Autoit3.exe	93
PID 2180 wrote to memory of 2268	2180	GoogleUpdateCore.exe	94
PID 2180 wrote to memory of 2268	2180	GoogleUpdateCore.exe	94
PID 2180 wrote to memory of 2268	2180	GoogleUpdateCore.exe	94
PID 2180 wrote to memory of 2268	2180	GoogleUpdateCore.exe	94

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2872
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2180
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe
"C:\Users\Admin\AppData\Local\Temp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\is-5CCEQ.tmp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5CCEQ.tmp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp" /SL5="$50294,2630150,845824,C:\Users\Admin\AppData\Local\Temp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\is-IPBFK.tmp\Autoit3.exe
    "C:\Users\Admin\AppData\Local\Temp\is-IPBFK.tmp\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\is-IPBFK.tmp\script.a3x
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Command and Scripting Interpreter: AutoIT
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - \??\c:\windows\SysWOW64\cmd.exe
      "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\cbhgcef\dfhfbba
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ComputerSystem get domain
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cbhgcef\dfhfbba

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\cbhgcef\eeeagba

Filesize
1KB

MD5
a636a55202b69bcf2adf9d1024a4f398

SHA1
aa8c216f77d0f25593707018575c00d17e7ad9de

SHA256
62ddda733912a744cd4dd2acb9fc09971c33bf5a93cb56d5d944f63885fbe651

SHA512
b91be14bb1f2462fa8f7b2fec22ca445d5d46ebcd3375f930abce06c8c4d406163ffeb1519924b2bed0c668bb874fdd3f837a052cb35e3412fba6f9963e71582

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5CCEQ.tmp\6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8.tmp

Filesize
3.2MB

MD5
e587511f17c07622f2e88bde6dc2a499

SHA1
08899e43445db2e0d000b3afd80e028636786eeb

SHA256
9fbf0748b5d890c2c28b1ae20aad7fc23a93cc7a57c4a51220d9381af7637c60

SHA512
2e59d9c525c5383c4ea66c785584aa69256a47ffe928a6595cc2bf07469d2da4dd56dcd3d3d42496e593c39eec6356fc4c8a9cdeee6770c7e6c3319b8b614c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPBFK.tmp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPBFK.tmp\script.a3x

Filesize
456KB

MD5
3694bf115b834e2259ac51b2e6a26f5c

SHA1
305ff2b980ecdb533600a61770fd9a865eddaf55

SHA256
900c32b827d80a48d734d8e33c1dc694f24fc60c277785808a7cbb2314c8b785

SHA512
84790f75b2cd121de977c7be4fe383890be141e10bf854b5da931452ba973758587296bfd1cdb43b0c5cb444e8eca2778ecd62f93b143224a8847f6940890e0d

Download Submit
C:\Users\Admin\AppData\Roaming\CbAdfHa

Filesize
32B

MD5
988e403c054437972c9dbfb6a78e4c62

SHA1
2257a79121b8e2a9dc67c6f0048080ab8a16377f

SHA256
161057c2125ca2158057d8cd2d0b8f2544717ca20b43347e294f80f786169eea

SHA512
d7dc59d5bdd5de19d0af8adc036b603e5be698f80ff3d41ac8102045eed01246cd7882859c7169f47e621c304f1314a90c3aafd26b63d8db374c858ecb67283c

Download Submit
C:\temp\adhaagd

Filesize
4B

MD5
72e459b57d84b81a12057e1efe9ef1f3

SHA1
8994114c119372f5d9644ba45965ab9a8830237e

SHA256
d6cff05a38e09e6a899bbbb89dfcf01c8519605c409397547aca0af12bf68b60

SHA512
9811ff64c08ddba092f87c8f8349ff92a66f78a3521bb14258e133167a9f762e95608e591627c509ae5562eabe6d12212ede1149f01817c43317794132eae702

Download Submit
C:\temp\fadfkek

Filesize
4B

MD5
7c562fcc6d0a3ff5c0faa2ea729ecf6b

SHA1
26797a738a2fb82857059681ab45fb380fb383c4

SHA256
d148891dac6f2a75f74865e020128fb269eb09434b0a29d6816a3c3270bf2f59

SHA512
fed9399a20a52234078f3b0cdbb21db273d5f3fcf204fc71f38ac470a0478a0d749ac7f0760915d28af415283331efc696a491b25c100d2822042a1cd435193d

Download Submit
C:\temp\fadfkek

Filesize
4B

MD5
6689e440a56716f57c34e1323bf6eed9

SHA1
6002bae72e7d880fbcc283289dac490cfd1bb8cc

SHA256
c28c2800c9cac040a9df27125c3c5dcabafe954973dd7083af813d91c3c19e78

SHA512
92dd44afb61897559cd9fd020e1763722392556d5289185087f0583f1b4b09fc25a169553f18e77deb008b02358c4bf9bb8d4ef430d43c61cdd2e5039e7c41fe

Download Submit
memory/1348-46-0x00000000001F0000-0x0000000000533000-memory.dmp

Filesize
3.3MB

Download
memory/1348-6-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1348-43-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2180-40-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2180-37-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2180-41-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2180-31-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2180-38-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2180-39-0x0000000002F90000-0x0000000003732000-memory.dmp

Filesize
7.6MB

Download
memory/2268-42-0x00000000024F0000-0x0000000002C92000-memory.dmp

Filesize
7.6MB

Download
memory/3628-15-0x00000000046D0000-0x00000000049C1000-memory.dmp

Filesize
2.9MB

Download
memory/3628-28-0x00000000046D0000-0x00000000049C1000-memory.dmp

Filesize
2.9MB

Download
memory/3628-14-0x00000000014F0000-0x00000000018F0000-memory.dmp

Filesize
4.0MB

Download
memory/4884-0-0x0000000000070000-0x000000000014C000-memory.dmp

Filesize
880KB

Download
memory/4884-44-0x0000000000070000-0x000000000014C000-memory.dmp

Filesize
880KB

Download
memory/4884-2-0x0000000000071000-0x0000000000119000-memory.dmp

Filesize
672KB

Download
memory/4884-48-0x0000000000070000-0x000000000014C000-memory.dmp

Filesize
880KB

Download