darkcomet | 9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe
Size

778KB
MD5

4cbb202d7c3ab05996c4adf4b5699d94
SHA1

c3e7e9a20e7d2c5cacd2c70dd98f36e85e4fb7be
SHA256

9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28
SHA512

3dd690d570f0d05c5f33c295bcf7d35847402d0304299bba043d2614f8e94caeb346fc55ed46da6444048997528b7191bffae6b6c5ea19b1d5038e3c7b11cd58
SSDEEP

12288:MshgmzsbGEI8EAGZ/fzpPAxhbpdhfwqzEwoeC1u+2YyrJ49tUDLHa1WnfZZ1ooUf:qm8idAxNN1DoDkXr+0aYZ7nA44oS53

Score

10^/10

darkcomet victim discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

craigkc.no-ip.biz:1604

Mutex

DC_MUTEX-GCQ0EQH

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
tjNQY0ZuLDn8
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2744	attrib.exe
2752	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

msdcsc.exemsdcsc.eXe

pid	Process
2840	msdcsc.exe
2796	msdcsc.eXe

Loads dropped DLL 2 IoCs

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe

pid	Process
3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXemsdcsc.eXe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.eXe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exemsdcsc.exe

description	pid	Process	procid_target
PID 2688 set thread context of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2840 set thread context of 2796	2840	msdcsc.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.execmd.exemsdcsc.eXenotepad.exemsdcsc.exe4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXecmd.exeattrib.exeattrib.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.eXe

pid	Process
2796	msdcsc.eXe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXemsdcsc.eXe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeSecurityPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeTakeOwnershipPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeLoadDriverPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeSystemProfilePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeSystemtimePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeProfSingleProcessPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeIncBasePriorityPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeCreatePagefilePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeBackupPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeRestorePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeShutdownPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeDebugPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeSystemEnvironmentPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeChangeNotifyPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeRemoteShutdownPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeUndockPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeManageVolumePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeImpersonatePrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeCreateGlobalPrivilege	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: 33	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: 34	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: 35	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
Token: SeIncreaseQuotaPrivilege	2796	msdcsc.eXe
Token: SeSecurityPrivilege	2796	msdcsc.eXe
Token: SeTakeOwnershipPrivilege	2796	msdcsc.eXe
Token: SeLoadDriverPrivilege	2796	msdcsc.eXe
Token: SeSystemProfilePrivilege	2796	msdcsc.eXe
Token: SeSystemtimePrivilege	2796	msdcsc.eXe
Token: SeProfSingleProcessPrivilege	2796	msdcsc.eXe
Token: SeIncBasePriorityPrivilege	2796	msdcsc.eXe
Token: SeCreatePagefilePrivilege	2796	msdcsc.eXe
Token: SeBackupPrivilege	2796	msdcsc.eXe
Token: SeRestorePrivilege	2796	msdcsc.eXe
Token: SeShutdownPrivilege	2796	msdcsc.eXe
Token: SeDebugPrivilege	2796	msdcsc.eXe
Token: SeSystemEnvironmentPrivilege	2796	msdcsc.eXe
Token: SeChangeNotifyPrivilege	2796	msdcsc.eXe
Token: SeRemoteShutdownPrivilege	2796	msdcsc.eXe
Token: SeUndockPrivilege	2796	msdcsc.eXe
Token: SeManageVolumePrivilege	2796	msdcsc.eXe
Token: SeImpersonatePrivilege	2796	msdcsc.eXe
Token: SeCreateGlobalPrivilege	2796	msdcsc.eXe
Token: 33	2796	msdcsc.eXe
Token: 34	2796	msdcsc.eXe
Token: 35	2796	msdcsc.eXe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exemsdcsc.exemsdcsc.eXe

pid	Process
2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe
2840	msdcsc.exe
2796	msdcsc.eXe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXecmd.execmd.exemsdcsc.exemsdcsc.eXe

description	pid	Process	procid_target
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 2688 wrote to memory of 3004	2688	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2928	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	31
PID 3004 wrote to memory of 2928	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	31
PID 3004 wrote to memory of 2928	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	31
PID 3004 wrote to memory of 2928	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	31
PID 3004 wrote to memory of 2800	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	32
PID 3004 wrote to memory of 2800	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	32
PID 3004 wrote to memory of 2800	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	32
PID 3004 wrote to memory of 2800	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	32
PID 2928 wrote to memory of 2744	2928	cmd.exe	35
PID 2928 wrote to memory of 2744	2928	cmd.exe	35
PID 2928 wrote to memory of 2744	2928	cmd.exe	35
PID 2928 wrote to memory of 2744	2928	cmd.exe	35
PID 2800 wrote to memory of 2752	2800	cmd.exe	36
PID 2800 wrote to memory of 2752	2800	cmd.exe	36
PID 2800 wrote to memory of 2752	2800	cmd.exe	36
PID 2800 wrote to memory of 2752	2800	cmd.exe	36
PID 3004 wrote to memory of 2840	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	37
PID 3004 wrote to memory of 2840	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	37
PID 3004 wrote to memory of 2840	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	37
PID 3004 wrote to memory of 2840	3004	4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe	37
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2840 wrote to memory of 2796	2840	msdcsc.exe	38
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39
PID 2796 wrote to memory of 3024	2796	msdcsc.eXe	39

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2744	attrib.exe
2752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe
  "C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118.eXe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2752
- - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.eXe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.eXe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

Filesize
778KB

MD5
4cbb202d7c3ab05996c4adf4b5699d94

SHA1
c3e7e9a20e7d2c5cacd2c70dd98f36e85e4fb7be

SHA256
9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28

SHA512
3dd690d570f0d05c5f33c295bcf7d35847402d0304299bba043d2614f8e94caeb346fc55ed46da6444048997528b7191bffae6b6c5ea19b1d5038e3c7b11cd58

Download Submit
memory/2796-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2796-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3004-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3024-54-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download