darkcomet | 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

Resubmissions

05/02/2025, 07:30

250205-jb9afaxrdl 10

05/02/2025, 07:08

250205-hx7s3axlak 10

01/10/2022, 23:07

221001-235ensceam 10

Analysis

max time kernel
153s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Size

582KB
MD5

6ee8965f23ab498defe80b79ab2ca52c
SHA1

0d74605007a81bf44052dcf43385b236d9401c66
SHA256

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA512

9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
SSDEEP

12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6

Score

10^/10

darkcomet dataprotector13.05.2013 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DataProtector13.05.2013

vierus330.no-ip.org:9751

Mutex

DCMIN_MUTEX-P9NPCV7

Attributes

gencode
Ch5FEfuRL0mp
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2004	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
1464	PrintConfig.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 1464 set thread context of 1816	1464	PrintConfig.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
2004	cmiadapter.exe
2004	cmiadapter.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1464	PrintConfig.exe
1604	cmiadapter.exe
1604	cmiadapter.exe
1604	cmiadapter.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Token: SeDebugPrivilege	2004	cmiadapter.exe
Token: SeIncreaseQuotaPrivilege	1880	svchost.exe
Token: SeSecurityPrivilege	1880	svchost.exe
Token: SeTakeOwnershipPrivilege	1880	svchost.exe
Token: SeLoadDriverPrivilege	1880	svchost.exe
Token: SeSystemProfilePrivilege	1880	svchost.exe
Token: SeSystemtimePrivilege	1880	svchost.exe
Token: SeProfSingleProcessPrivilege	1880	svchost.exe
Token: SeIncBasePriorityPrivilege	1880	svchost.exe
Token: SeCreatePagefilePrivilege	1880	svchost.exe
Token: SeBackupPrivilege	1880	svchost.exe
Token: SeRestorePrivilege	1880	svchost.exe
Token: SeShutdownPrivilege	1880	svchost.exe
Token: SeDebugPrivilege	1880	svchost.exe
Token: SeSystemEnvironmentPrivilege	1880	svchost.exe
Token: SeChangeNotifyPrivilege	1880	svchost.exe
Token: SeRemoteShutdownPrivilege	1880	svchost.exe
Token: SeUndockPrivilege	1880	svchost.exe
Token: SeManageVolumePrivilege	1880	svchost.exe
Token: SeImpersonatePrivilege	1880	svchost.exe
Token: SeCreateGlobalPrivilege	1880	svchost.exe
Token: 33	1880	svchost.exe
Token: 34	1880	svchost.exe
Token: 35	1880	svchost.exe
Token: SeDebugPrivilege	1464	PrintConfig.exe
Token: SeIncreaseQuotaPrivilege	1816	svchost.exe
Token: SeSecurityPrivilege	1816	svchost.exe
Token: SeTakeOwnershipPrivilege	1816	svchost.exe
Token: SeLoadDriverPrivilege	1816	svchost.exe
Token: SeSystemProfilePrivilege	1816	svchost.exe
Token: SeSystemtimePrivilege	1816	svchost.exe
Token: SeProfSingleProcessPrivilege	1816	svchost.exe
Token: SeIncBasePriorityPrivilege	1816	svchost.exe
Token: SeCreatePagefilePrivilege	1816	svchost.exe
Token: SeBackupPrivilege	1816	svchost.exe
Token: SeRestorePrivilege	1816	svchost.exe
Token: SeShutdownPrivilege	1816	svchost.exe
Token: SeDebugPrivilege	1816	svchost.exe
Token: SeSystemEnvironmentPrivilege	1816	svchost.exe
Token: SeChangeNotifyPrivilege	1816	svchost.exe
Token: SeRemoteShutdownPrivilege	1816	svchost.exe
Token: SeUndockPrivilege	1816	svchost.exe
Token: SeManageVolumePrivilege	1816	svchost.exe
Token: SeImpersonatePrivilege	1816	svchost.exe
Token: SeCreateGlobalPrivilege	1816	svchost.exe
Token: 33	1816	svchost.exe
Token: 34	1816	svchost.exe
Token: 35	1816	svchost.exe
Token: SeDebugPrivilege	1604	cmiadapter.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1880	svchost.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 1880	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	26
PID 2032 wrote to memory of 2004	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	27
PID 2032 wrote to memory of 2004	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	27
PID 2032 wrote to memory of 2004	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	27
PID 2032 wrote to memory of 2004	2032	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	27
PID 2004 wrote to memory of 1160	2004	cmiadapter.exe	28
PID 2004 wrote to memory of 1160	2004	cmiadapter.exe	28
PID 2004 wrote to memory of 1160	2004	cmiadapter.exe	28
PID 2004 wrote to memory of 1160	2004	cmiadapter.exe	28
PID 2004 wrote to memory of 1464	2004	cmiadapter.exe	30
PID 2004 wrote to memory of 1464	2004	cmiadapter.exe	30
PID 2004 wrote to memory of 1464	2004	cmiadapter.exe	30
PID 2004 wrote to memory of 1464	2004	cmiadapter.exe	30
PID 1160 wrote to memory of 1512	1160	cmd.exe	31
PID 1160 wrote to memory of 1512	1160	cmd.exe	31
PID 1160 wrote to memory of 1512	1160	cmd.exe	31
PID 1160 wrote to memory of 1512	1160	cmd.exe	31
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1816	1464	PrintConfig.exe	32
PID 1464 wrote to memory of 1604	1464	PrintConfig.exe	33
PID 1464 wrote to memory of 1604	1464	PrintConfig.exe	33
PID 1464 wrote to memory of 1604	1464	PrintConfig.exe	33
PID 1464 wrote to memory of 1604	1464	PrintConfig.exe	33

C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
"C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
  "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:1512
- - C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe
    "C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
      "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
memory/1464-90-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-95-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-120-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-121-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-115-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2004-93-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-81-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-91-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-94-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download