darkcomet | 99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Size

2.1MB
MD5

80331cb992b4aaf28c0109096c78e137
SHA1

856a328b145d2a02f591d2fd62e71e21db4e0622
SHA256

99c3b4f9d4c32256e5ab697c5dc4ff1d753b146c846681e429e2a3eb2f207ada
SHA512

128e2ea41800e3a93da297921f918014ae1dc05750f7dcace823fdcd365f422127dca449dd5ce05813ce44eff195b6f589cc95bf4cc40f404bb00eb9ed79a5be
SSDEEP

24576:WDQMyUCLowSEwiR49iPUHV8XgYrpxbNT9IA0HD4OsqirBJu9crkQCmLMR:W8MyUCNd+vVeob0OMp2

Score

10^/10

darkcomet latentbot getjava defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Getjava

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-NPVY9D6

Attributes

gencode
z3bx7DQvDgi3
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

jx.exe

pid process

5036 jx.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
5036	jx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javacs = "C:\\Users\\Admin\\AppData\\Roaming\\javamc.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe

description	pid	process	target process
PID 3500 set thread context of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 set thread context of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jx.exe	upx
behavioral2/memory/5036-44-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral2/memory/4340-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-55-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5036-61-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral2/memory/4340-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5036-72-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral2/memory/4340-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-77-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-81-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-82-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-83-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-84-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4340-85-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exevbc.execmd.exejx.exevbc.exe80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4340	vbc.exe
Token: SeSecurityPrivilege	4340	vbc.exe
Token: SeTakeOwnershipPrivilege	4340	vbc.exe
Token: SeLoadDriverPrivilege	4340	vbc.exe
Token: SeSystemProfilePrivilege	4340	vbc.exe
Token: SeSystemtimePrivilege	4340	vbc.exe
Token: SeProfSingleProcessPrivilege	4340	vbc.exe
Token: SeIncBasePriorityPrivilege	4340	vbc.exe
Token: SeCreatePagefilePrivilege	4340	vbc.exe
Token: SeBackupPrivilege	4340	vbc.exe
Token: SeRestorePrivilege	4340	vbc.exe
Token: SeShutdownPrivilege	4340	vbc.exe
Token: SeDebugPrivilege	4340	vbc.exe
Token: SeSystemEnvironmentPrivilege	4340	vbc.exe
Token: SeChangeNotifyPrivilege	4340	vbc.exe
Token: SeRemoteShutdownPrivilege	4340	vbc.exe
Token: SeUndockPrivilege	4340	vbc.exe
Token: SeManageVolumePrivilege	4340	vbc.exe
Token: SeImpersonatePrivilege	4340	vbc.exe
Token: SeCreateGlobalPrivilege	4340	vbc.exe
Token: 33	4340	vbc.exe
Token: 34	4340	vbc.exe
Token: 35	4340	vbc.exe
Token: 36	4340	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exevbc.exe

pid process

3732 vbc.exe
4340 vbc.exe

pid	process
3732	vbc.exe
4340	vbc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 3500 wrote to memory of 4500	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4500	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4500	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 4500 wrote to memory of 2596	4500	vbc.exe	cvtres.exe
PID 4500 wrote to memory of 2596	4500	vbc.exe	cvtres.exe
PID 4500 wrote to memory of 2596	4500	vbc.exe	cvtres.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 3732	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 744	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	cmd.exe
PID 3500 wrote to memory of 744	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	cmd.exe
PID 3500 wrote to memory of 744	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	cmd.exe
PID 3500 wrote to memory of 5036	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	jx.exe
PID 3500 wrote to memory of 5036	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	jx.exe
PID 3500 wrote to memory of 5036	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	jx.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe
PID 3500 wrote to memory of 4340	3500	80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80331cb992b4aaf28c0109096c78e137_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bonse633.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC3B0D4CC3934B5092D6DE8BE9A56353.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3732
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:744
- C:\Users\Admin\AppData\Local\Temp\jx.exe
  "C:\Users\Admin\AppData\Local\Temp\jx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp

Filesize
1KB

MD5
21bb8ddd5033d2350888358dcc6055e9

SHA1
ede850ddde52f5ba5335f907599a0900163f96c9

SHA256
6d66e6da8081eac444200d8bfbb78fd1bb69cca4327a051b0049c84dde6c84ed

SHA512
3fa5ad3815aad1cc07bede703c2f705f4b726747ddd01de1ac4bd29df0087e626e003d1c7e6c986d1d16aa3498c7fd7b728090734091f0af9736687673468f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bonse633.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bonse633.cmdline

Filesize
317B

MD5
1946a7420d7fb634775ed5283e2e7c37

SHA1
56a7542764bc122fc71c64df05c66bd10a3c7d22

SHA256
619e7d544a276db787ba64697948c26062e95cb35880a404bc889c48f00eaee8

SHA512
f3de7bc30167f8033a0196c9aca6efd3f58c64b6f94ea01fabc2783fd2ad1cec8ddf456d1f3564c24e75b98fe57b5f86bd3651a60d5c682eb3bb74c427de7e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bonse633.dll

Filesize
6KB

MD5
9bd14c0f061acbf72e71bc651241fbde

SHA1
79a4261973598d063fb878f938e1f283d376b7e8

SHA256
94851a3ae75bc60b507872025b2938c2df02931542cad9504444d7910a20f13a

SHA512
4939e79c49aabc56d2d36c0a00a82abe940edd55e9c6df1c27986f96b9a7caa3b611b864aed4d954c80d4b35566ac30b844d86ecccb4c99aef616ad4a49e7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
163KB

MD5
286d788cbfc076f0e661a7ea37380f7b

SHA1
ce05b510fce4f15f6cc057e735b84d3668773cda

SHA256
7883a10de8b37568d96e653c0654350820322c5f1e99f6d207313fc3304ecbd9

SHA512
83fc1dde2e0e3b94dbdc0dcd1a836716d3f08b0420e14afac7fbc2887776bf6437e4b5da761420c32f099d619979e386daf4ffac94ec4fa2df7d365461007c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jx.exe

Filesize
871KB

MD5
f6167efc4d1ef0d0e2739a521f6c87d0

SHA1
c8d1a4b74fd774718ad5d2210e5db1a8c57f931c

SHA256
ec3357953ca575beffae55678548f8348cbeaef6a753d3de151007862962e03e

SHA512
ce39f11229ed14011acfd0a0edb9bf4bcf9f043b72e8d14320c3235f6889e05ec4dffc521af8ad481326140e31a475badff86a54be45740b857e84fd42342901

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAC3B0D4CC3934B5092D6DE8BE9A56353.TMP

Filesize
652B

MD5
1d3b82fcea659b062e08244adad5caf1

SHA1
3c514f4544f14209a09e87e28885c861e8d25f43

SHA256
cfbefa9a36449f11682f5ddd80d0aaca7bcd32a292571f3d57e4b306e00ab108

SHA512
543a64052e0b489d0637f0b4ac1ebea5607f1617d5501d1df021f6778a966e7e1dd6208fbea1b00a2c6e9605ec5f85f5584039a78e2c05113de696c4c9690878

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
100B

MD5
46141ad6a47ab3d59e09d2e191cee4c9

SHA1
8ccccc6069099a080e7d264200d4c6206e5b1fa5

SHA256
7c5221717bcc045387d609cbd4b1801159e417a9908bad7fc89a271371e6f2a4

SHA512
59afd1d01c979a4c75a565da390265ace4f8594f231a8ba9e6091357e143472a9c4d3e363d75a13a771798d35bfcd897bce0e8ae62db175eebf97a750969bb6e

Download Submit
C:\Users\Admin\AppData\Roaming\javamc.exe:ZONE.identifier

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3500-2-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3500-1-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3500-53-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3500-0-0x0000000074AD2000-0x0000000074AD3000-memory.dmp

Filesize
4KB

Download
memory/3732-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3732-30-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3732-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4340-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-85-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4340-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4500-16-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4500-7-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/5036-44-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5036-61-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5036-72-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download