darkcomet | fa4f3e812f7fa32f6d32846c18f5252c20cc743f677c20a2f118376d35f8f7c1

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Size

787KB
MD5

f56cdab52206e4783be6cf175293a012
SHA1

66d495a7b3daf9f18bad8b2388403453706c035a
SHA256

fa4f3e812f7fa32f6d32846c18f5252c20cc743f677c20a2f118376d35f8f7c1
SHA512

a9ab7c512b6ca422c50325f2017c53b4b9db03c6e31c44ca167005c070a09b976e715930477867652b4ec445d7a547a934dc2bac7f3d33cdd40769ef1b2fea19
SSDEEP

12288:SpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIboB:MwAcu99lPzvxP+Bsz2XjWTRMQckkIbo

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

LOADER.EXEwinupdate.exe

pid	Process
2872	LOADER.EXE
2644	winupdate.exe

Loads dropped DLL 6 IoCs

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exe

pid	Process
828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
2644	winupdate.exe
2644	winupdate.exe
2644	winupdate.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/828-0-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/files/0x000d000000015c5a-16.dat	upx
behavioral1/memory/2644-21-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/828-18-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-30-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-33-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2644-32-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-35-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-39-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-37-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-41-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-43-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-45-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-49-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-47-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-53-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-51-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-55-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-57-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-59-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-61-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-62-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-63-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-64-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-66-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-65-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-67-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-68-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2868-69-0x0000000000400000-0x00000000004C6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winupdate.exe

description	pid	Process	procid_target
PID 2644 set thread context of 2868	2644	winupdate.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid	Process
2868	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exeexplorer.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeSecurityPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeSystemtimePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeBackupPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeRestorePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeShutdownPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeDebugPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeUndockPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeManageVolumePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeImpersonatePrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: 33	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: 34	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: 35	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2644	winupdate.exe
Token: SeSecurityPrivilege	2644	winupdate.exe
Token: SeTakeOwnershipPrivilege	2644	winupdate.exe
Token: SeLoadDriverPrivilege	2644	winupdate.exe
Token: SeSystemProfilePrivilege	2644	winupdate.exe
Token: SeSystemtimePrivilege	2644	winupdate.exe
Token: SeProfSingleProcessPrivilege	2644	winupdate.exe
Token: SeIncBasePriorityPrivilege	2644	winupdate.exe
Token: SeCreatePagefilePrivilege	2644	winupdate.exe
Token: SeBackupPrivilege	2644	winupdate.exe
Token: SeRestorePrivilege	2644	winupdate.exe
Token: SeShutdownPrivilege	2644	winupdate.exe
Token: SeDebugPrivilege	2644	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2644	winupdate.exe
Token: SeChangeNotifyPrivilege	2644	winupdate.exe
Token: SeRemoteShutdownPrivilege	2644	winupdate.exe
Token: SeUndockPrivilege	2644	winupdate.exe
Token: SeManageVolumePrivilege	2644	winupdate.exe
Token: SeImpersonatePrivilege	2644	winupdate.exe
Token: SeCreateGlobalPrivilege	2644	winupdate.exe
Token: 33	2644	winupdate.exe
Token: 34	2644	winupdate.exe
Token: 35	2644	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2868	explorer.exe
Token: SeSecurityPrivilege	2868	explorer.exe
Token: SeTakeOwnershipPrivilege	2868	explorer.exe
Token: SeLoadDriverPrivilege	2868	explorer.exe
Token: SeSystemProfilePrivilege	2868	explorer.exe
Token: SeSystemtimePrivilege	2868	explorer.exe
Token: SeProfSingleProcessPrivilege	2868	explorer.exe
Token: SeIncBasePriorityPrivilege	2868	explorer.exe
Token: SeCreatePagefilePrivilege	2868	explorer.exe
Token: SeBackupPrivilege	2868	explorer.exe
Token: SeRestorePrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeDebugPrivilege	2868	explorer.exe
Token: SeSystemEnvironmentPrivilege	2868	explorer.exe
Token: SeChangeNotifyPrivilege	2868	explorer.exe
Token: SeRemoteShutdownPrivilege	2868	explorer.exe
Token: SeUndockPrivilege	2868	explorer.exe
Token: SeManageVolumePrivilege	2868	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid	Process
2868	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

f56cdab52206e4783be6cf175293a012_JaffaCakes118.exewinupdate.exe

description	pid	Process	procid_target
PID 828 wrote to memory of 2872	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	28
PID 828 wrote to memory of 2872	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	28
PID 828 wrote to memory of 2872	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	28
PID 828 wrote to memory of 2872	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	28
PID 828 wrote to memory of 2540	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	29
PID 828 wrote to memory of 2540	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	29
PID 828 wrote to memory of 2540	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	29
PID 828 wrote to memory of 2540	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	29
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 828 wrote to memory of 2644	828	f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31
PID 2644 wrote to memory of 2868	2644	winupdate.exe	31

C:\Users\Admin\AppData\Local\Temp\f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f56cdab52206e4783be6cf175293a012_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:2540
- C:\Windupdt\winupdate.exe
  "C:\Windupdt\winupdate.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windupdt\winupdate.exe

Filesize
787KB

MD5
f56cdab52206e4783be6cf175293a012

SHA1
66d495a7b3daf9f18bad8b2388403453706c035a

SHA256
fa4f3e812f7fa32f6d32846c18f5252c20cc743f677c20a2f118376d35f8f7c1

SHA512
a9ab7c512b6ca422c50325f2017c53b4b9db03c6e31c44ca167005c070a09b976e715930477867652b4ec445d7a547a934dc2bac7f3d33cdd40769ef1b2fea19

Download Submit
\Users\Admin\AppData\Local\Temp\LOADER.EXE

Filesize
4KB

MD5
9e9d25a215fea80339e0ccf734ad203d

SHA1
d0a91f98d001f009ea7ed13e71eac58537095af0

SHA256
d1bfaf9ec2b02c248b3cb9d321578a2c92dde99a1aa8bbfa5a110d42923ce27c

SHA512
87cb324c4ad9f5b3542fc4f22ae2e2524136cefbe2cc9c9f563eed7958fec6010e925d508a789913db3506cef48d45c03621d6e30dbf869c3ab6876b97afc5a6

Download Submit
memory/828-1-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/828-17-0x0000000003DD0000-0x0000000003E96000-memory.dmp

Filesize
792KB

Download
memory/828-18-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/828-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2644-32-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2644-21-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2644-24-0x00000000004D0000-0x0000000000596000-memory.dmp

Filesize
792KB

Download
memory/2868-43-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-55-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-30-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-35-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-39-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-37-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-41-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-45-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-49-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-47-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-53-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-51-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-33-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-57-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-59-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-61-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-62-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-63-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-64-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-66-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-65-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-67-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-68-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2868-69-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download