darkcomet | d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f

Analysis

max time kernel
153s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe
Size

800KB
MD5

962b6297bfe02e597197fc3d104558f0
SHA1

1cf73f2d2e62f6076466bc8dbeed93aaa44643ca
SHA256

d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f
SHA512

85d663827c02c509705e2a689bf520fdd0b82d68e2f3e9cf0fe9b1b239425685c37636ce9fc74412630b668dc80fba8a1c13dc7bbaec40af0bc90aade95616fb
SSDEEP

12288:qS1hFDxZFbhf3T/aBkuqyGunESWdXYwPaF4dDenvKv+Ie:1FPH7YkTvSWN5PI4M9I

Score

10^/10

darkcomet pony guest16 collection discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

185.84.181.81:100

Mutex

DC_MUTEX-0DKXA0V

Attributes

gencode
M5VVBQQEtzRs
install
false
offline_keylogger
true
persistence
false

Extracted

Family

pony

http://lynch.herobo.com/pcss/gate.php

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 3 IoCs

pid	Process
1748	#68858363.exe
2008	#68858363.exe
1224	NcbService.exe

Loads dropped DLL 2 IoCs

pid	Process
1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe
1748	#68858363.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	#68858363.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	#68858363.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\NcbService.exe"	NcbService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1748 set thread context of 2008	1748	#68858363.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1224	NcbService.exe
1224	NcbService.exe
1224	NcbService.exe
1224	NcbService.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe
1224	NcbService.exe
1748	#68858363.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe
Token: SeDebugPrivilege	1748	#68858363.exe
Token: SeIncreaseQuotaPrivilege	1532	vbc.exe
Token: SeSecurityPrivilege	1532	vbc.exe
Token: SeTakeOwnershipPrivilege	1532	vbc.exe
Token: SeLoadDriverPrivilege	1532	vbc.exe
Token: SeSystemProfilePrivilege	1532	vbc.exe
Token: SeSystemtimePrivilege	1532	vbc.exe
Token: SeProfSingleProcessPrivilege	1532	vbc.exe
Token: SeIncBasePriorityPrivilege	1532	vbc.exe
Token: SeCreatePagefilePrivilege	1532	vbc.exe
Token: SeBackupPrivilege	1532	vbc.exe
Token: SeRestorePrivilege	1532	vbc.exe
Token: SeShutdownPrivilege	1532	vbc.exe
Token: SeDebugPrivilege	1532	vbc.exe
Token: SeSystemEnvironmentPrivilege	1532	vbc.exe
Token: SeChangeNotifyPrivilege	1532	vbc.exe
Token: SeRemoteShutdownPrivilege	1532	vbc.exe
Token: SeUndockPrivilege	1532	vbc.exe
Token: SeManageVolumePrivilege	1532	vbc.exe
Token: SeImpersonatePrivilege	1532	vbc.exe
Token: SeCreateGlobalPrivilege	1532	vbc.exe
Token: 33	1532	vbc.exe
Token: 34	1532	vbc.exe
Token: 35	1532	vbc.exe
Token: SeImpersonatePrivilege	2008	#68858363.exe
Token: SeTcbPrivilege	2008	#68858363.exe
Token: SeChangeNotifyPrivilege	2008	#68858363.exe
Token: SeCreateTokenPrivilege	2008	#68858363.exe
Token: SeBackupPrivilege	2008	#68858363.exe
Token: SeRestorePrivilege	2008	#68858363.exe
Token: SeIncreaseQuotaPrivilege	2008	#68858363.exe
Token: SeAssignPrimaryTokenPrivilege	2008	#68858363.exe
Token: SeDebugPrivilege	1224	NcbService.exe
Token: SeImpersonatePrivilege	2008	#68858363.exe
Token: SeTcbPrivilege	2008	#68858363.exe
Token: SeChangeNotifyPrivilege	2008	#68858363.exe
Token: SeCreateTokenPrivilege	2008	#68858363.exe
Token: SeBackupPrivilege	2008	#68858363.exe
Token: SeRestorePrivilege	2008	#68858363.exe
Token: SeIncreaseQuotaPrivilege	2008	#68858363.exe
Token: SeAssignPrimaryTokenPrivilege	2008	#68858363.exe
Token: SeImpersonatePrivilege	2008	#68858363.exe
Token: SeTcbPrivilege	2008	#68858363.exe
Token: SeChangeNotifyPrivilege	2008	#68858363.exe
Token: SeCreateTokenPrivilege	2008	#68858363.exe
Token: SeBackupPrivilege	2008	#68858363.exe
Token: SeRestorePrivilege	2008	#68858363.exe
Token: SeIncreaseQuotaPrivilege	2008	#68858363.exe
Token: SeAssignPrimaryTokenPrivilege	2008	#68858363.exe
Token: SeImpersonatePrivilege	2008	#68858363.exe
Token: SeTcbPrivilege	2008	#68858363.exe
Token: SeChangeNotifyPrivilege	2008	#68858363.exe
Token: SeCreateTokenPrivilege	2008	#68858363.exe
Token: SeBackupPrivilege	2008	#68858363.exe
Token: SeRestorePrivilege	2008	#68858363.exe
Token: SeIncreaseQuotaPrivilege	2008	#68858363.exe
Token: SeAssignPrimaryTokenPrivilege	2008	#68858363.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	vbc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1748	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	28
PID 1468 wrote to memory of 1748	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	28
PID 1468 wrote to memory of 1748	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	28
PID 1468 wrote to memory of 1748	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	28
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1468 wrote to memory of 1532	1468	d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe	29
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 2008	1748	#68858363.exe	31
PID 1748 wrote to memory of 1224	1748	#68858363.exe	32
PID 1748 wrote to memory of 1224	1748	#68858363.exe	32
PID 1748 wrote to memory of 1224	1748	#68858363.exe	32
PID 1748 wrote to memory of 1224	1748	#68858363.exe	32

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	#68858363.exe

C:\Users\Admin\AppData\Local\Temp\d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe
"C:\Users\Admin\AppData\Local\Temp\d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\Desktop\#68858363.exe
  "C:\Users\Admin\Desktop\#68858363.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\Desktop\#68858363.exe
    "C:\Users\Admin\Desktop\#68858363.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_win_path
    PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\BthHFSrv.exe

Filesize
800KB

MD5
962b6297bfe02e597197fc3d104558f0

SHA1
1cf73f2d2e62f6076466bc8dbeed93aaa44643ca

SHA256
d615c2abea3b04bda1e19238670dd4487e38846ec04bf47c01ed7053b3d17a5f

SHA512
85d663827c02c509705e2a689bf520fdd0b82d68e2f3e9cf0fe9b1b239425685c37636ce9fc74412630b668dc80fba8a1c13dc7bbaec40af0bc90aade95616fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
C:\Users\Admin\Desktop\#68858363.exe

Filesize
252KB

MD5
b5650bec1d01746d75e461ef2dc85630

SHA1
2ba8dc54781ae6b70c084eb799dce114ef861f4d

SHA256
0647f8e4204684f97500ee4ac84e0e99d666b7f14aa199e5fc6427b6b39b0ea2

SHA512
77ec6763d338cabff95835f6ca26d45c9ada0546cde8ce3a1a712aa13ce35b1773e0087cd9af9b73583eff70ab024a5d624b8394e55dbcdb4fa895bd1b23a6e3

Download Submit
C:\Users\Admin\Desktop\#68858363.exe

Filesize
252KB

MD5
b5650bec1d01746d75e461ef2dc85630

SHA1
2ba8dc54781ae6b70c084eb799dce114ef861f4d

SHA256
0647f8e4204684f97500ee4ac84e0e99d666b7f14aa199e5fc6427b6b39b0ea2

SHA512
77ec6763d338cabff95835f6ca26d45c9ada0546cde8ce3a1a712aa13ce35b1773e0087cd9af9b73583eff70ab024a5d624b8394e55dbcdb4fa895bd1b23a6e3

Download Submit
C:\Users\Admin\Desktop\#68858363.exe

Filesize
252KB

MD5
b5650bec1d01746d75e461ef2dc85630

SHA1
2ba8dc54781ae6b70c084eb799dce114ef861f4d

SHA256
0647f8e4204684f97500ee4ac84e0e99d666b7f14aa199e5fc6427b6b39b0ea2

SHA512
77ec6763d338cabff95835f6ca26d45c9ada0546cde8ce3a1a712aa13ce35b1773e0087cd9af9b73583eff70ab024a5d624b8394e55dbcdb4fa895bd1b23a6e3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
9KB

MD5
48628262e75352bc581317d1a6c3a96d

SHA1
fb09a89eb6e51aac584b3866f6be347e32c8651e

SHA256
572f5216d3428ab7bdceb4761d7144bf9754f0b37dcad1f5c649b7220d464da8

SHA512
4278fb2ce5523e2cc791c775886c8b0c0ed2417bb12f55445f61cd6520559ba2a929009b591aaafdb207e340bc63fecd8b33c10fe30f2d14d48e4c655f82aaf8

Download Submit
\Users\Admin\Desktop\#68858363.exe

Filesize
252KB

MD5
b5650bec1d01746d75e461ef2dc85630

SHA1
2ba8dc54781ae6b70c084eb799dce114ef861f4d

SHA256
0647f8e4204684f97500ee4ac84e0e99d666b7f14aa199e5fc6427b6b39b0ea2

SHA512
77ec6763d338cabff95835f6ca26d45c9ada0546cde8ce3a1a712aa13ce35b1773e0087cd9af9b73583eff70ab024a5d624b8394e55dbcdb4fa895bd1b23a6e3

Download Submit
memory/1224-103-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-99-0x0000000000000000-mapping.dmp

Download
memory/1224-106-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1468-80-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1468-55-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1468-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1532-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-105-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-76-0x000000000048F888-mapping.dmp

Download
memory/1532-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1532-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1748-104-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-78-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-57-0x0000000000000000-mapping.dmp

Download
memory/2008-85-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-95-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-97-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-86-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-88-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-89-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-91-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2008-92-0x000000000041003A-mapping.dmp

Download
memory/2008-107-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download