darkcomet | 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Size

991KB
MD5

11e3b2761607342d846c806d3751449d
SHA1

bfe6ed2330a60bd526b5d8539ad2b42234eaf485
SHA256

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4
SHA512

3da48d314f4ef8ae143269316b675f45ab33bca167ea38f9b2842480e240598144e4c742320d73c9c0aed78b8de5667426c79cb08ce33b4122db3b743aab80b1
SSDEEP

24576:dysHFwrLe9O5VqIuJo9j9GzqlQ5VqIuJ:wslwLe97IuJo9j9BZIuJ

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

titus.no-ip.biz:1604

Mutex

DC_MUTEX-ZHXEX9Y

Attributes

gencode
2gyJ6nSw7VhP
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

TOKPIC.scrMsCtfMonitor.exertscom.exe

pid process

2040 TOKPIC.scr
556 MsCtfMonitor.exe
1972 rtscom.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1544-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-69-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-70-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-72-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-78-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-81-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-82-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1544-83-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exe

pid process

2012 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
2040 TOKPIC.scr
556 MsCtfMonitor.exe

pid	process
2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
2040	TOKPIC.scr
556	MsCtfMonitor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsCtfMonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe"	MsCtfMonitor.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

TOKPIC.scrrtscom.exe

description	pid	process	target process
PID 2040 set thread context of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 1972 set thread context of 1208	1972	rtscom.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TOKPIC.scrMsCtfMonitor.exertscom.exe

pid	process
2040	TOKPIC.scr
556	MsCtfMonitor.exe
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr
1972	rtscom.exe
2040	TOKPIC.scr

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exeAppLaunch.exertscom.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Token: SeDebugPrivilege	2040	TOKPIC.scr
Token: SeDebugPrivilege	556	MsCtfMonitor.exe
Token: SeIncreaseQuotaPrivilege	1544	AppLaunch.exe
Token: SeSecurityPrivilege	1544	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1544	AppLaunch.exe
Token: SeLoadDriverPrivilege	1544	AppLaunch.exe
Token: SeSystemProfilePrivilege	1544	AppLaunch.exe
Token: SeSystemtimePrivilege	1544	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1544	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1544	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1544	AppLaunch.exe
Token: SeBackupPrivilege	1544	AppLaunch.exe
Token: SeRestorePrivilege	1544	AppLaunch.exe
Token: SeShutdownPrivilege	1544	AppLaunch.exe
Token: SeDebugPrivilege	1544	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1544	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1544	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1544	AppLaunch.exe
Token: SeUndockPrivilege	1544	AppLaunch.exe
Token: SeManageVolumePrivilege	1544	AppLaunch.exe
Token: SeImpersonatePrivilege	1544	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1544	AppLaunch.exe
Token: 33	1544	AppLaunch.exe
Token: 34	1544	AppLaunch.exe
Token: 35	1544	AppLaunch.exe
Token: SeDebugPrivilege	1972	rtscom.exe
Token: SeIncreaseQuotaPrivilege	1208	AppLaunch.exe
Token: SeSecurityPrivilege	1208	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1208	AppLaunch.exe
Token: SeLoadDriverPrivilege	1208	AppLaunch.exe
Token: SeSystemProfilePrivilege	1208	AppLaunch.exe
Token: SeSystemtimePrivilege	1208	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1208	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1208	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1208	AppLaunch.exe
Token: SeBackupPrivilege	1208	AppLaunch.exe
Token: SeRestorePrivilege	1208	AppLaunch.exe
Token: SeShutdownPrivilege	1208	AppLaunch.exe
Token: SeDebugPrivilege	1208	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1208	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1208	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1208	AppLaunch.exe
Token: SeUndockPrivilege	1208	AppLaunch.exe
Token: SeManageVolumePrivilege	1208	AppLaunch.exe
Token: SeImpersonatePrivilege	1208	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1208	AppLaunch.exe
Token: 33	1208	AppLaunch.exe
Token: 34	1208	AppLaunch.exe
Token: 35	1208	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

516 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

1544 AppLaunch.exe

pid	process
516	DllHost.exe

pid	process
1544	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exertscom.exe

description	pid	process	target process
PID 2012 wrote to memory of 2040	2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 2012 wrote to memory of 2040	2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 2012 wrote to memory of 2040	2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 2012 wrote to memory of 2040	2012	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 1544	2040	TOKPIC.scr	AppLaunch.exe
PID 2040 wrote to memory of 556	2040	TOKPIC.scr	MsCtfMonitor.exe
PID 2040 wrote to memory of 556	2040	TOKPIC.scr	MsCtfMonitor.exe
PID 2040 wrote to memory of 556	2040	TOKPIC.scr	MsCtfMonitor.exe
PID 2040 wrote to memory of 556	2040	TOKPIC.scr	MsCtfMonitor.exe
PID 556 wrote to memory of 1972	556	MsCtfMonitor.exe	rtscom.exe
PID 556 wrote to memory of 1972	556	MsCtfMonitor.exe	rtscom.exe
PID 556 wrote to memory of 1972	556	MsCtfMonitor.exe	rtscom.exe
PID 556 wrote to memory of 1972	556	MsCtfMonitor.exe	rtscom.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe
PID 1972 wrote to memory of 1208	1972	rtscom.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
"C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
"C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr" /S
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\rtscom.exe
"C:\Users\Admin\AppData\Local\Temp\rtscom.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software\western union.jpg
Filesize
70KB

MD5
beff307d39f0dff0373692f510204cf8

SHA1
9c42a7aee39596bb6c50d92d066ccc57f43a3559

SHA256
40962997af7601e2d05245cf5e045c0063b22aecfd880870b68d9e409299e1a7

SHA512
ae14157c55faecfab440c0b032ec011ef5679dc4f6f3dd489aad1b4761532e10f405bfb18fe155432174bc639b0d5786364e253d99be86d421eca51e3a3a2153

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtscom.exe
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtscom.exe
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
Filesize
8KB

MD5
893651b0ac929b3280f1345e1b5e0133

SHA1
363d729f2474a0f71d30a790d90f36e69def86bf

SHA256
f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9

SHA512
a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
Filesize
8KB

MD5
893651b0ac929b3280f1345e1b5e0133

SHA1
363d729f2474a0f71d30a790d90f36e69def86bf

SHA256
f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9

SHA512
a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606

Download Submit
\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
\Users\Admin\AppData\Local\Temp\rtscom.exe
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
Filesize
8KB

MD5
893651b0ac929b3280f1345e1b5e0133

SHA1
363d729f2474a0f71d30a790d90f36e69def86bf

SHA256
f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9

SHA512
a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606

Download Submit
memory/556-75-0x0000000000000000-mapping.dmp

Download
memory/556-89-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/556-92-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1208-108-0x000000000047B000-0x00000000004B9000-memory.dmp

Filesize
248KB

Download
memory/1208-100-0x00000000004B8BA0-mapping.dmp

Download
memory/1544-90-0x000000000047B000-0x00000000004B9000-memory.dmp

Filesize
248KB

Download
memory/1544-71-0x00000000004B8BA0-mapping.dmp

Download
memory/1544-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-93-0x000000000047B000-0x00000000004B9000-memory.dmp

Filesize
248KB

Download
memory/1544-78-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-81-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-82-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1972-86-0x0000000000000000-mapping.dmp

Download
memory/1972-91-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-94-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-60-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-62-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download
memory/2040-63-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-65-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download