darkcomet | bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

Analysis

max time kernel
48s
max time network
76s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
Size

331KB
MD5

eb2cc33b05f167b62155d3afdd33bca2
SHA1

884068cd29cc9ff4d8a1a1d898f5a868d547c334
SHA256

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af
SHA512

9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096
SSDEEP

6144:SM41YTICjnbHv1eNJa0rr7DxodlqFYZwfjJVYv0yGKb52Wf:SKjLv03aYDxodluYZw7JV+2Wf

Score

10^/10

darkcomet hawkeye keylogger persistence rat spyware stealer trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

explorer.exesysglobl.exeiedvtool.exe

pid process

1184 explorer.exe
1484 sysglobl.exe
1372 iedvtool.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1984-67-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-69-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-71-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-73-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-75-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-77-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-78-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1984-79-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1184 explorer.exe

Loads dropped DLL 6 IoCs

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exesysglobl.exe

pid	process
908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
1184	explorer.exe
1184	explorer.exe
1484	sysglobl.exe
1484	sysglobl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysglobl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\© Windows Live Messenger Music Status Plugin Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sysglobl.exe"	sysglobl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeiedvtool.exe

description	pid	process	target process
PID 1184 set thread context of 1984	1184	explorer.exe	AppLaunch.exe
PID 1372 set thread context of 1284	1372	iedvtool.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exesysglobl.exeiedvtool.exe

pid	process
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1484	sysglobl.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1484	sysglobl.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1484	sysglobl.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1484	sysglobl.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1372	iedvtool.exe
1184	explorer.exe
1484	sysglobl.exe
1372	iedvtool.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exesysglobl.exeAppLaunch.exeiedvtool.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
Token: SeDebugPrivilege	1184	explorer.exe
Token: SeDebugPrivilege	1484	sysglobl.exe
Token: SeIncreaseQuotaPrivilege	1984	AppLaunch.exe
Token: SeSecurityPrivilege	1984	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1984	AppLaunch.exe
Token: SeLoadDriverPrivilege	1984	AppLaunch.exe
Token: SeSystemProfilePrivilege	1984	AppLaunch.exe
Token: SeSystemtimePrivilege	1984	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1984	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1984	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1984	AppLaunch.exe
Token: SeBackupPrivilege	1984	AppLaunch.exe
Token: SeRestorePrivilege	1984	AppLaunch.exe
Token: SeShutdownPrivilege	1984	AppLaunch.exe
Token: SeDebugPrivilege	1984	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1984	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1984	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1984	AppLaunch.exe
Token: SeUndockPrivilege	1984	AppLaunch.exe
Token: SeManageVolumePrivilege	1984	AppLaunch.exe
Token: SeImpersonatePrivilege	1984	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1984	AppLaunch.exe
Token: 33	1984	AppLaunch.exe
Token: 34	1984	AppLaunch.exe
Token: 35	1984	AppLaunch.exe
Token: SeDebugPrivilege	1372	iedvtool.exe
Token: SeIncreaseQuotaPrivilege	1284	AppLaunch.exe
Token: SeSecurityPrivilege	1284	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1284	AppLaunch.exe
Token: SeLoadDriverPrivilege	1284	AppLaunch.exe
Token: SeSystemProfilePrivilege	1284	AppLaunch.exe
Token: SeSystemtimePrivilege	1284	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1284	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1284	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1284	AppLaunch.exe
Token: SeBackupPrivilege	1284	AppLaunch.exe
Token: SeRestorePrivilege	1284	AppLaunch.exe
Token: SeShutdownPrivilege	1284	AppLaunch.exe
Token: SeDebugPrivilege	1284	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1284	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1284	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1284	AppLaunch.exe
Token: SeUndockPrivilege	1284	AppLaunch.exe
Token: SeManageVolumePrivilege	1284	AppLaunch.exe
Token: SeImpersonatePrivilege	1284	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1284	AppLaunch.exe
Token: 33	1284	AppLaunch.exe
Token: 34	1284	AppLaunch.exe
Token: 35	1284	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

1984 AppLaunch.exe

pid	process
1984	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exesysglobl.exeiedvtool.exe

description	pid	process	target process
PID 908 wrote to memory of 1184	908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 908 wrote to memory of 1184	908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 908 wrote to memory of 1184	908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 908 wrote to memory of 1184	908	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1984	1184	explorer.exe	AppLaunch.exe
PID 1184 wrote to memory of 1484	1184	explorer.exe	sysglobl.exe
PID 1184 wrote to memory of 1484	1184	explorer.exe	sysglobl.exe
PID 1184 wrote to memory of 1484	1184	explorer.exe	sysglobl.exe
PID 1184 wrote to memory of 1484	1184	explorer.exe	sysglobl.exe
PID 1484 wrote to memory of 1372	1484	sysglobl.exe	iedvtool.exe
PID 1484 wrote to memory of 1372	1484	sysglobl.exe	iedvtool.exe
PID 1484 wrote to memory of 1372	1484	sysglobl.exe	iedvtool.exe
PID 1484 wrote to memory of 1372	1484	sysglobl.exe	iedvtool.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe
PID 1372 wrote to memory of 1284	1372	iedvtool.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
"C:\Users\Admin\AppData\Local\Temp\bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
"C:\Users\Admin\AppData\Local\Temp\sysglobl.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
"C:\Users\Admin\AppData\Local\Temp\iedvtool.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
9ce7cd302354cd9620e92b882dc708a7

SHA1
1760eebb77ffe46e49caba7d0e488cfe504053e5

SHA256
2437275ae372d5259895be8b178b57cef465775d020f00e8440f2d9c01948d9c

SHA512
693ff1642b5f4739cc9a8bedb8f4f8033a40407f6793e21b724257f9516cd383c1f911b823a25e0af5a803b2749b76f4881ad09d31926589f71bd8d91c023327

Download Submit
C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
memory/908-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/908-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/908-56-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/908-63-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-64-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1184-110-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-109-0x0000000000481000-0x00000000004C7000-memory.dmp

Filesize
280KB

Download
memory/1284-98-0x00000000004C6940-mapping.dmp

Download
memory/1372-108-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-89-0x0000000000000000-mapping.dmp

Download
memory/1372-113-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-107-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-82-0x0000000000000000-mapping.dmp

Download
memory/1484-112-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-79-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-66-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-67-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-69-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-106-0x0000000000481000-0x00000000004C7000-memory.dmp

Filesize
280KB

Download
memory/1984-71-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-78-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-77-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-75-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-111-0x0000000000481000-0x00000000004C7000-memory.dmp

Filesize
280KB

Download
memory/1984-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-72-0x00000000004C6940-mapping.dmp

Download