darkcomet | 668c940714a02ba7bfa0aa4cbefbe8f396a0250060d5c7063c729f8fcc57a39c

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quotations.scr
Size

869KB
MD5

b3744139e8d3392ae463249ff04f917f
SHA1

89094e0d61c52141499bf3d9b71db66486ac7d87
SHA256

6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb
SHA512

f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712
SSDEEP

12288:1qQADfHsnjusfToB0+cARh97RPyGSTciWBjKchwebSSieLneTO7uA8a:HADfHWyssB0ER1PyUB3GebSSiweq7uA

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

house10i.ddns.net:1604

Mutex

DC_MUTEX-L6GEJVR

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uvQYcLsQZYrq
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 5 IoCs

Processes:

msdcsc.exeIpOverUsbSvrc.exeAcctres.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

pid process

4180 msdcsc.exe
3868 IpOverUsbSvrc.exe
4772 Acctres.exe
1640 IpOverUsbSvrc.exe
2276 IpOverUsbSvrc.exe

pid	process
4180	msdcsc.exe
3868	IpOverUsbSvrc.exe
4772	Acctres.exe
1640	IpOverUsbSvrc.exe
2276	IpOverUsbSvrc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

takshost.exequotations.scrAcctres.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	takshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	quotations.scr
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	Acctres.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

quotations.scr

description pid process target process

PID 4000 set thread context of 4248 4000 quotations.scr vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4000 set thread context of 4248	4000	quotations.scr	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

quotations.scr

pid	process
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr
4000	quotations.scr

Suspicious behavior: RenamesItself 1 IoCs

Processes:

quotations.scr

pid process

4000 quotations.scr

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	4000	quotations.scr
Token: SeIncreaseQuotaPrivilege	4248	vbc.exe
Token: SeSecurityPrivilege	4248	vbc.exe
Token: SeTakeOwnershipPrivilege	4248	vbc.exe
Token: SeLoadDriverPrivilege	4248	vbc.exe
Token: SeSystemProfilePrivilege	4248	vbc.exe
Token: SeSystemtimePrivilege	4248	vbc.exe
Token: SeProfSingleProcessPrivilege	4248	vbc.exe
Token: SeIncBasePriorityPrivilege	4248	vbc.exe
Token: SeCreatePagefilePrivilege	4248	vbc.exe
Token: SeBackupPrivilege	4248	vbc.exe
Token: SeRestorePrivilege	4248	vbc.exe
Token: SeShutdownPrivilege	4248	vbc.exe
Token: SeDebugPrivilege	4248	vbc.exe
Token: SeSystemEnvironmentPrivilege	4248	vbc.exe
Token: SeChangeNotifyPrivilege	4248	vbc.exe
Token: SeRemoteShutdownPrivilege	4248	vbc.exe
Token: SeUndockPrivilege	4248	vbc.exe
Token: SeManageVolumePrivilege	4248	vbc.exe
Token: SeImpersonatePrivilege	4248	vbc.exe
Token: SeCreateGlobalPrivilege	4248	vbc.exe
Token: 33	4248	vbc.exe
Token: 34	4248	vbc.exe
Token: 35	4248	vbc.exe
Token: 36	4248	vbc.exe
Token: SeDebugPrivilege	3868	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	4772	Acctres.exe
Token: SeDebugPrivilege	4500	takshost.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exe

description	pid	process	target process
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4000 wrote to memory of 4248	4000	quotations.scr	vbc.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 5104	4248	vbc.exe	notepad.exe
PID 4248 wrote to memory of 4180	4248	vbc.exe	msdcsc.exe
PID 4248 wrote to memory of 4180	4248	vbc.exe	msdcsc.exe
PID 4248 wrote to memory of 4180	4248	vbc.exe	msdcsc.exe
PID 4000 wrote to memory of 3868	4000	quotations.scr	IpOverUsbSvrc.exe
PID 4000 wrote to memory of 3868	4000	quotations.scr	IpOverUsbSvrc.exe
PID 4000 wrote to memory of 3868	4000	quotations.scr	IpOverUsbSvrc.exe
PID 3868 wrote to memory of 4772	3868	IpOverUsbSvrc.exe	Acctres.exe
PID 3868 wrote to memory of 4772	3868	IpOverUsbSvrc.exe	Acctres.exe
PID 3868 wrote to memory of 4772	3868	IpOverUsbSvrc.exe	Acctres.exe
PID 4000 wrote to memory of 4500	4000	quotations.scr	takshost.exe
PID 4000 wrote to memory of 4500	4000	quotations.scr	takshost.exe
PID 4000 wrote to memory of 4500	4000	quotations.scr	takshost.exe
PID 4772 wrote to memory of 1640	4772	Acctres.exe	IpOverUsbSvrc.exe
PID 4772 wrote to memory of 1640	4772	Acctres.exe	IpOverUsbSvrc.exe
PID 4772 wrote to memory of 1640	4772	Acctres.exe	IpOverUsbSvrc.exe
PID 4500 wrote to memory of 2276	4500	takshost.exe	IpOverUsbSvrc.exe
PID 4500 wrote to memory of 2276	4500	takshost.exe	IpOverUsbSvrc.exe
PID 4500 wrote to memory of 2276	4500	takshost.exe	IpOverUsbSvrc.exe

C:\Users\Admin\AppData\Local\Temp\quotations.scr
"C:\Users\Admin\AppData\Local\Temp\quotations.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
3⤵
- Executes dropped EXE
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log
Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
memory/1640-158-0x0000000000000000-mapping.dmp

Download
memory/1640-162-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-165-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1640-164-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2276-170-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2276-167-0x0000000000000000-mapping.dmp

Download
memory/3868-156-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-141-0x0000000000000000-mapping.dmp

Download
memory/3868-146-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-148-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4000-132-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4000-133-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4000-155-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-140-0x0000000000000000-mapping.dmp

Download
memory/4248-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4248-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4248-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4248-134-0x0000000000000000-mapping.dmp

Download
memory/4248-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4248-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4500-154-0x0000000000000000-mapping.dmp

Download
memory/4500-163-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-157-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4772-149-0x0000000000000000-mapping.dmp

Download
memory/4772-166-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4772-153-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4772-152-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-139-0x0000000000000000-mapping.dmp

Download