Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

A1DB2JVWGG.CNT.exe

windows7-x64

10

A1DB2JVWGG.CNT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2023, 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A1DB2JVWGG.CNT.exe

  • Size

    2.1MB

  • MD5

    a7817732eded62797b0c5e9da109edd7

  • SHA1

    e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

  • SHA256

    95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

  • SHA512

    3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

  • SSDEEP

    24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF

Score
10/10
darkcometnanocorejune 2023evasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

JUNE 2023

C2

timmy08.ddns.net:39399

Mutex

DC_MUTEX-75NC51J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    l2V3BCJaaFmA

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    chrome

Extracted

Family

nanocore

Version

1.2.2.0

C2

timmy08.ddns.net:28289

timmy06.ddns.net:28289
Mutex

29684d78-e3d5-43d3-a123-9a499c3134c7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    timmy06.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-03-13T20:49:24.260578036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    28289

  • default_group

    JUNE 2023

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    29684d78-e3d5-43d3-a123-9a499c3134c7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    timmy08.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe
    "C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4344
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JXayEzy.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61A8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4764
    • C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe
      "C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2JVWGG.CNT.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1864
      • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
        "C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4408
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1592
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3248
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JXayEzy.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:336
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp"
            4⤵
            • Creates scheduled task(s)
            PID:2332
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Modifies security service
            • Windows security bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4884
            • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
              "C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE"
              5⤵
              • Executes dropped EXE
              PID:2024
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              5⤵
                PID:3416

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        fccbcc1137c73ba4515d02550a946064

        SHA1

        6524dd758f36d93905a69c43b677a25b1710e95e

        SHA256

        33b2d9067a7277bc0daec4ab6ea4e5bc9e6462256277e0a387801b5a21213924

        SHA512

        ad13d9a863d1cadb1269a929f9d975704fa51fba7842533619f00a7d0fa2f860f3e663dd5d21c4ef64c705a26f20af6a9bd282d503df57dc1484dabe5f2bd2a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        fccbcc1137c73ba4515d02550a946064

        SHA1

        6524dd758f36d93905a69c43b677a25b1710e95e

        SHA256

        33b2d9067a7277bc0daec4ab6ea4e5bc9e6462256277e0a387801b5a21213924

        SHA512

        ad13d9a863d1cadb1269a929f9d975704fa51fba7842533619f00a7d0fa2f860f3e663dd5d21c4ef64c705a26f20af6a9bd282d503df57dc1484dabe5f2bd2a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
        Filesize

        202KB

        MD5

        4d9ac7d6e684cd3874b662971b6bc536

        SHA1

        726cd96b680082910ebc451d7741a2d6934ed339

        SHA256

        48987956556721dfb5f988683693bebc094b5965f6bd58eeff928fd7c6ba9330

        SHA512

        27ddc60b921ed3b6b9223321ea310fa6ce9a3f4d0cb1b96899fc8fb08556d73f92fb3ec7da93a60de046105129b1b128828d5ab57869160749a5f7f2a7a8ab71

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
        Filesize

        202KB

        MD5

        4d9ac7d6e684cd3874b662971b6bc536

        SHA1

        726cd96b680082910ebc451d7741a2d6934ed339

        SHA256

        48987956556721dfb5f988683693bebc094b5965f6bd58eeff928fd7c6ba9330

        SHA512

        27ddc60b921ed3b6b9223321ea310fa6ce9a3f4d0cb1b96899fc8fb08556d73f92fb3ec7da93a60de046105129b1b128828d5ab57869160749a5f7f2a7a8ab71

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
        Filesize

        202KB

        MD5

        4d9ac7d6e684cd3874b662971b6bc536

        SHA1

        726cd96b680082910ebc451d7741a2d6934ed339

        SHA256

        48987956556721dfb5f988683693bebc094b5965f6bd58eeff928fd7c6ba9330

        SHA512

        27ddc60b921ed3b6b9223321ea310fa6ce9a3f4d0cb1b96899fc8fb08556d73f92fb3ec7da93a60de046105129b1b128828d5ab57869160749a5f7f2a7a8ab71

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JUNE STUB.EXE
        Filesize

        202KB

        MD5

        4d9ac7d6e684cd3874b662971b6bc536

        SHA1

        726cd96b680082910ebc451d7741a2d6934ed339

        SHA256

        48987956556721dfb5f988683693bebc094b5965f6bd58eeff928fd7c6ba9330

        SHA512

        27ddc60b921ed3b6b9223321ea310fa6ce9a3f4d0cb1b96899fc8fb08556d73f92fb3ec7da93a60de046105129b1b128828d5ab57869160749a5f7f2a7a8ab71

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zouc4yn3.e0h.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp4764.tmp
        Filesize

        1KB

        MD5

        fdfa0793e93886eb64f2d5ea6561113e

        SHA1

        f90008549c3329af1a5420d67eee2a29d22bf6a9

        SHA256

        b66b192d7565cf280ab8e61eec9b427a7f184a5ebf5094fb6612a7a1503060a8

        SHA512

        2a91ee70ba1ff6f67c1cd55581efd3437a8ce827c04d1b07fc5d3057f5b33c94fb35112008fe3b1958547b9af99c8aadbb5cd9ae23d1aba16968e5079547b106

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp61A8.tmp
        Filesize

        1KB

        MD5

        fdfa0793e93886eb64f2d5ea6561113e

        SHA1

        f90008549c3329af1a5420d67eee2a29d22bf6a9

        SHA256

        b66b192d7565cf280ab8e61eec9b427a7f184a5ebf5094fb6612a7a1503060a8

        SHA512

        2a91ee70ba1ff6f67c1cd55581efd3437a8ce827c04d1b07fc5d3057f5b33c94fb35112008fe3b1958547b9af99c8aadbb5cd9ae23d1aba16968e5079547b106

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        2.1MB

        MD5

        a7817732eded62797b0c5e9da109edd7

        SHA1

        e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

        SHA256

        95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

        SHA512

        3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        2.1MB

        MD5

        a7817732eded62797b0c5e9da109edd7

        SHA1

        e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

        SHA256

        95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

        SHA512

        3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        2.1MB

        MD5

        a7817732eded62797b0c5e9da109edd7

        SHA1

        e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

        SHA256

        95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

        SHA512

        3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        2.1MB

        MD5

        a7817732eded62797b0c5e9da109edd7

        SHA1

        e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

        SHA256

        95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

        SHA512

        3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

        Download Submit

      • memory/336-328-0x0000000002780000-0x0000000002790000-memory.dmp

        Filesize

        64KB

        Download

      • memory/336-357-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/336-333-0x0000000071450000-0x000000007149C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1324-327-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-359-0x000000007F760000-0x000000007F770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-356-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-345-0x0000000071450000-0x000000007149C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1324-329-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1344-241-0x0000000073BA0000-0x0000000073BEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1344-264-0x0000000002480000-0x0000000002490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1344-150-0x0000000005790000-0x00000000057F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1344-158-0x0000000002480000-0x0000000002490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1344-280-0x0000000007120000-0x000000000712A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1344-265-0x00000000070B0000-0x00000000070CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1344-240-0x0000000006380000-0x00000000063B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1344-152-0x0000000002480000-0x0000000002490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1344-251-0x0000000006350000-0x000000000636E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1344-176-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1344-263-0x0000000007700000-0x0000000007D7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1592-189-0x00000000011A0000-0x00000000011A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2024-355-0x00000000019F0000-0x0000000001A00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-297-0x0000000004D80000-0x0000000004D90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3248-283-0x0000000004D80000-0x0000000004D90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3416-332-0x0000000000600000-0x0000000000601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4180-185-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4180-175-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4180-173-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4180-172-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4180-188-0x0000000003210000-0x0000000003211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4180-284-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4344-276-0x000000007EE70000-0x000000007EE80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-148-0x0000000005870000-0x00000000058D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4344-288-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4344-289-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4344-282-0x0000000007D20000-0x0000000007DB6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4344-144-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4344-145-0x00000000059F0000-0x0000000006018000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4344-147-0x00000000057D0000-0x00000000057F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4344-149-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-266-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-287-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4344-151-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4344-252-0x0000000073BA0000-0x0000000073BEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4408-253-0x0000000001480000-0x0000000001490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4408-295-0x0000000001480000-0x0000000001490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4408-296-0x0000000001480000-0x0000000001490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4408-267-0x0000000001480000-0x0000000001490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4884-330-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-321-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-358-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-326-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-325-0x0000000003090000-0x0000000003091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4884-334-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-324-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-344-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/4884-364-0x0000000000400000-0x00000000004EC000-memory.dmp

        Filesize

        944KB

        Download

      • memory/5068-133-0x00000000007E0000-0x0000000000A06000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/5068-137-0x00000000055C0000-0x00000000055D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5068-136-0x00000000053D0000-0x00000000053DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/5068-138-0x00000000055C0000-0x00000000055D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5068-135-0x0000000005410000-0x00000000054A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5068-134-0x00000000059C0000-0x0000000005F64000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5068-139-0x0000000008C40000-0x0000000008CDC000-memory.dmp

        Filesize

        624KB

        Download