blacknet | 51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

Analysis

max time kernel
38s
max time network
307s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderV5.exe
Size

11.0MB
MD5

5891817266ffedc10d4a84a3bd483239
SHA1

b59d365a91b50ec55ccc1c1b2a70cbf858382aa3
SHA256

51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465
SHA512

517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Score

10^/10

blacknet darkcomet bot guest16 persistence rat trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe	family_blacknet

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

upx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Executes dropped EXE 6 IoCs

Processes:

svshost.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exetaskhost.exe

pid process

432 svshost.exe
524 jusched.exe
4736 WinlockerBuilderv5.exe
3604 upx_compresser.exe
4692 upx_compresser.exe
4352 taskhost.exe

pid	process
432	svshost.exe
524	jusched.exe
4736	WinlockerBuilderv5.exe
3604	upx_compresser.exe
4692	upx_compresser.exe
4352	taskhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upx_compresser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Control Panel\International\Geo\Nation	upx_compresser.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinlockerBuilderV5.exejusched.exeupx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinlockerBuilderV5.exe"	WinlockerBuilderV5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderV5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

upx_compresser.exe

description pid process target process

PID 3604 set thread context of 4692 3604 upx_compresser.exe upx_compresser.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3604 set thread context of 4692	3604	upx_compresser.exe	upx_compresser.exe

Modifies registry class 1 IoCs

Processes:

upx_compresser.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	upx_compresser.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

WinlockerBuilderV5.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exe

pid	process
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
2392	WinlockerBuilderV5.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
524	jusched.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
4736	WinlockerBuilderv5.exe
3604	upx_compresser.exe
3604	upx_compresser.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

upx_compresser.exe

pid process

3604 upx_compresser.exe

pid	process
3604	upx_compresser.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

WinlockerBuilderV5.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exe

description	pid	process
Token: SeDebugPrivilege	2392	WinlockerBuilderV5.exe
Token: SeDebugPrivilege	524	jusched.exe
Token: SeDebugPrivilege	4736	WinlockerBuilderv5.exe
Token: SeIncreaseQuotaPrivilege	4692	upx_compresser.exe
Token: SeSecurityPrivilege	4692	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	4692	upx_compresser.exe
Token: SeLoadDriverPrivilege	4692	upx_compresser.exe
Token: SeSystemProfilePrivilege	4692	upx_compresser.exe
Token: SeSystemtimePrivilege	4692	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	4692	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	4692	upx_compresser.exe
Token: SeCreatePagefilePrivilege	4692	upx_compresser.exe
Token: SeBackupPrivilege	4692	upx_compresser.exe
Token: SeRestorePrivilege	4692	upx_compresser.exe
Token: SeShutdownPrivilege	4692	upx_compresser.exe
Token: SeDebugPrivilege	4692	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	4692	upx_compresser.exe
Token: SeChangeNotifyPrivilege	4692	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	4692	upx_compresser.exe
Token: SeUndockPrivilege	4692	upx_compresser.exe
Token: SeManageVolumePrivilege	4692	upx_compresser.exe
Token: SeImpersonatePrivilege	4692	upx_compresser.exe
Token: SeCreateGlobalPrivilege	4692	upx_compresser.exe
Token: 33	4692	upx_compresser.exe
Token: 34	4692	upx_compresser.exe
Token: 35	4692	upx_compresser.exe
Token: 36	4692	upx_compresser.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WinlockerBuilderV5.exejusched.exeWinlockerBuilderv5.exe

pid process

2392 WinlockerBuilderV5.exe
2392 WinlockerBuilderV5.exe
524 jusched.exe
524 jusched.exe
4736 WinlockerBuilderv5.exe
4736 WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WinlockerBuilderV5.exesvshost.exeupx_compresser.exeupx_compresser.exe

description	pid	process	target process
PID 2392 wrote to memory of 524	2392	WinlockerBuilderV5.exe	jusched.exe
PID 2392 wrote to memory of 524	2392	WinlockerBuilderV5.exe	jusched.exe
PID 2392 wrote to memory of 432	2392	WinlockerBuilderV5.exe	svshost.exe
PID 2392 wrote to memory of 432	2392	WinlockerBuilderV5.exe	svshost.exe
PID 2392 wrote to memory of 432	2392	WinlockerBuilderV5.exe	svshost.exe
PID 432 wrote to memory of 4736	432	svshost.exe	WinlockerBuilderv5.exe
PID 432 wrote to memory of 4736	432	svshost.exe	WinlockerBuilderv5.exe
PID 432 wrote to memory of 3604	432	svshost.exe	upx_compresser.exe
PID 432 wrote to memory of 3604	432	svshost.exe	upx_compresser.exe
PID 432 wrote to memory of 3604	432	svshost.exe	upx_compresser.exe
PID 3604 wrote to memory of 4692	3604	upx_compresser.exe	upx_compresser.exe
PID 3604 wrote to memory of 4692	3604	upx_compresser.exe	upx_compresser.exe
PID 3604 wrote to memory of 4692	3604	upx_compresser.exe	upx_compresser.exe
PID 4692 wrote to memory of 4352	4692	upx_compresser.exe	taskhost.exe
PID 4692 wrote to memory of 4352	4692	upx_compresser.exe	taskhost.exe
PID 4692 wrote to memory of 4352	4692	upx_compresser.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
5⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
6⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\WinlockerBuilderv5.exe.log
Filesize
866B

MD5
51a32d811e43ff583cccd2a2e1ebec55

SHA1
e45fe5ed2a98c0d976ea87af0f8f246127792c1c

SHA256
d8d22cdc9739248d10f672721c3970cbf6c579294301b424ad94020d65fbb7aa

SHA512
1ecdbba623ecb619f8b56cb112bbe34752be6801d0e4166530f071e94b27a58156b544686b9acfc43553e38f3549deb36c90832f76f9f3215a8b1c9154f32ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe
Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
memory/432-165-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-171-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-132-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-130-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-134-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-135-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-136-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-137-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-138-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-139-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-140-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-141-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-143-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-144-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-145-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-147-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-146-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-148-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-142-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-149-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-151-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-121-0x0000000000000000-mapping.dmp

Download
memory/432-152-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-153-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-154-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-155-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-156-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-157-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-158-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-160-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-161-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-162-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-125-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-164-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-127-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-166-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-167-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-168-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-169-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-170-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-131-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-172-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-126-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/432-129-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/524-128-0x00007FF9C0450000-0x00007FF9C0E83000-memory.dmp

Filesize
10.2MB

Download
memory/524-120-0x0000000000000000-mapping.dmp

Download
memory/524-253-0x000000000320A000-0x000000000320F000-memory.dmp

Filesize
20KB

Download
memory/524-163-0x000000000320A000-0x000000000320F000-memory.dmp

Filesize
20KB

Download
memory/1272-421-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1272-410-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1272-354-0x000000000048F888-mapping.dmp

Download
memory/2392-119-0x0000000002D3A000-0x0000000002D3F000-memory.dmp

Filesize
20KB

Download
memory/2392-150-0x0000000002D3A000-0x0000000002D3F000-memory.dmp

Filesize
20KB

Download
memory/2392-118-0x00007FF9C0450000-0x00007FF9C0E83000-memory.dmp

Filesize
10.2MB

Download
memory/3604-196-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-217-0x0000000002250000-0x0000000002259000-memory.dmp

Filesize
36KB

Download
memory/3604-189-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-190-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-191-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-192-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-193-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-195-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-187-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-194-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-185-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-179-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-176-0x0000000000000000-mapping.dmp

Download
memory/3604-188-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-180-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-184-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-183-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-181-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3604-182-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4352-312-0x0000000000000000-mapping.dmp

Download
memory/4692-272-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4692-333-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4692-220-0x000000000048F888-mapping.dmp

Download
memory/4736-177-0x00007FF9C0450000-0x00007FF9C0E83000-memory.dmp

Filesize
10.2MB

Download
memory/4736-173-0x0000000000000000-mapping.dmp

Download
memory/4736-219-0x0000000001B8A000-0x0000000001B8F000-memory.dmp

Filesize
20KB

Download