darkcomet | f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d

Analysis

max time kernel
151s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
Size

541KB
MD5

d4c4ba434338058c59a3086acdb2539e
SHA1

04eef30c111240b5bb1c035e022b60fc31000207
SHA256

f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d
SHA512

8800cfa243aa1ec5933680189266ddad4ec6b05f9571f9b150a23ad3bc10e51852b4a0574eb8303724a5caff61aeabb73ad836a299e6b37b8613b98d6b739fa2

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Gekon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Gekon.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Gekon.exemsdcsc.exe

pid process

2008 Gekon.exe
1136 msdcsc.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

pid	process
2008	Gekon.exe
1136	msdcsc.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Gekon.exe	upx
\Users\Admin\AppData\Roaming\Gekon.exe	upx
\Users\Admin\AppData\Roaming\Gekon.exe	upx
\Users\Admin\AppData\Roaming\Gekon.exe	upx
\Users\Admin\AppData\Roaming\Gekon.exe	upx
C:\Users\Admin\AppData\Roaming\Gekon.exe	upx
C:\Users\Admin\AppData\Roaming\Gekon.exe	upx
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx

Loads dropped DLL 7 IoCs

Processes:

f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.exe

pid	process
1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
2008	Gekon.exe
2008	Gekon.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Gekon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Gekon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

1136 msdcsc.exe

pid	process
1136	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Gekon.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2008	Gekon.exe
Token: SeSecurityPrivilege	2008	Gekon.exe
Token: SeTakeOwnershipPrivilege	2008	Gekon.exe
Token: SeLoadDriverPrivilege	2008	Gekon.exe
Token: SeSystemProfilePrivilege	2008	Gekon.exe
Token: SeSystemtimePrivilege	2008	Gekon.exe
Token: SeProfSingleProcessPrivilege	2008	Gekon.exe
Token: SeIncBasePriorityPrivilege	2008	Gekon.exe
Token: SeCreatePagefilePrivilege	2008	Gekon.exe
Token: SeBackupPrivilege	2008	Gekon.exe
Token: SeRestorePrivilege	2008	Gekon.exe
Token: SeShutdownPrivilege	2008	Gekon.exe
Token: SeDebugPrivilege	2008	Gekon.exe
Token: SeSystemEnvironmentPrivilege	2008	Gekon.exe
Token: SeChangeNotifyPrivilege	2008	Gekon.exe
Token: SeRemoteShutdownPrivilege	2008	Gekon.exe
Token: SeUndockPrivilege	2008	Gekon.exe
Token: SeManageVolumePrivilege	2008	Gekon.exe
Token: SeImpersonatePrivilege	2008	Gekon.exe
Token: SeCreateGlobalPrivilege	2008	Gekon.exe
Token: 33	2008	Gekon.exe
Token: 34	2008	Gekon.exe
Token: 35	2008	Gekon.exe
Token: SeIncreaseQuotaPrivilege	1136	msdcsc.exe
Token: SeSecurityPrivilege	1136	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1136	msdcsc.exe
Token: SeLoadDriverPrivilege	1136	msdcsc.exe
Token: SeSystemProfilePrivilege	1136	msdcsc.exe
Token: SeSystemtimePrivilege	1136	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1136	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1136	msdcsc.exe
Token: SeCreatePagefilePrivilege	1136	msdcsc.exe
Token: SeBackupPrivilege	1136	msdcsc.exe
Token: SeRestorePrivilege	1136	msdcsc.exe
Token: SeShutdownPrivilege	1136	msdcsc.exe
Token: SeDebugPrivilege	1136	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1136	msdcsc.exe
Token: SeChangeNotifyPrivilege	1136	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1136	msdcsc.exe
Token: SeUndockPrivilege	1136	msdcsc.exe
Token: SeManageVolumePrivilege	1136	msdcsc.exe
Token: SeImpersonatePrivilege	1136	msdcsc.exe
Token: SeCreateGlobalPrivilege	1136	msdcsc.exe
Token: 33	1136	msdcsc.exe
Token: 34	1136	msdcsc.exe
Token: 35	1136	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1136 msdcsc.exe

pid	process
1136	msdcsc.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exeGekon.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1296 wrote to memory of 2008	1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe	Gekon.exe
PID 1296 wrote to memory of 2008	1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe	Gekon.exe
PID 1296 wrote to memory of 2008	1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe	Gekon.exe
PID 1296 wrote to memory of 2008	1296	f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe	Gekon.exe
PID 2008 wrote to memory of 684	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 684	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 684	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 684	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 1668	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 1668	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 1668	2008	Gekon.exe	cmd.exe
PID 2008 wrote to memory of 1668	2008	Gekon.exe	cmd.exe
PID 684 wrote to memory of 1552	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1552	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1552	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1552	684	cmd.exe	attrib.exe
PID 1668 wrote to memory of 1632	1668	cmd.exe	attrib.exe
PID 1668 wrote to memory of 1632	1668	cmd.exe	attrib.exe
PID 1668 wrote to memory of 1632	1668	cmd.exe	attrib.exe
PID 1668 wrote to memory of 1632	1668	cmd.exe	attrib.exe
PID 2008 wrote to memory of 1136	2008	Gekon.exe	msdcsc.exe
PID 2008 wrote to memory of 1136	2008	Gekon.exe	msdcsc.exe
PID 2008 wrote to memory of 1136	2008	Gekon.exe	msdcsc.exe
PID 2008 wrote to memory of 1136	2008	Gekon.exe	msdcsc.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe
PID 1136 wrote to memory of 1948	1136	msdcsc.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1632 attrib.exe
1552 attrib.exe

pid	process
1632	attrib.exe
1552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe
"C:\Users\Admin\AppData\Local\Temp\f317a59ea553e2fbdeb151cf71b6baf33ab337f61abd2d14abfd06309dca1c4d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Roaming\Gekon.exe
"C:\Users\Admin\AppData\Roaming\Gekon.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h
4⤵
- Views/modifies file attributes
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming" +s +h
4⤵
- Views/modifies file attributes
PID:1632

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1136

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
C:\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\AppData\Roaming\Gekon.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
200dccea6b2e072fa47842830aaf7754

SHA1
d07d57e782daf0b71e521257ef28d5ba69ebc6e2

SHA256
10e3f01bedd5fbc7a01c9864085557105ee43e8f0c05c98ea06c6d1f53f5f013

SHA512
87ca099a8b941063966cf13eb86a354e56f4166a080c1c0bd24b1e999db65e661c617bd666749e6c3fe198a7eb0d098f4160ce742a31cdcbbeda2341d12e52be

Download Submit
memory/684-64-0x0000000000000000-mapping.dmp

Download
memory/1136-70-0x0000000000000000-mapping.dmp

Download
memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1552-66-0x0000000000000000-mapping.dmp

Download
memory/1632-67-0x0000000000000000-mapping.dmp

Download
memory/1668-65-0x0000000000000000-mapping.dmp

Download
memory/1948-74-0x0000000000000000-mapping.dmp

Download
memory/2008-60-0x0000000000000000-mapping.dmp

Download