darkcomet | 56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
Size

929KB
MD5

55b2a24013188c8edd410d3feef91291
SHA1

4b61c2e4ceb1bec720865285343d6dbdf31191fe
SHA256

56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826
SHA512

fec50faedf68bbe02a33c4bc8a4abef50b0fbb8d9ecd0c15f2695e48234b2cbaa382782c322d5778c7840c20a7f927439ef5c1fedbe29924f436fec8c647800b
SSDEEP

24576:k15XqaF/hrSj2yydT2SLsUmVzMA5o8KnZ1PMQ3B:kfjjArK6xzMo/KnrPMQR

Score

10^/10

darkcomet mini absolute discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Mini Absolute

kallysky.no-ip.biz:100

Mutex

DCMIN_MUTEX-Y9S6G37

Attributes

gencode
0KU1aR0S8e4r
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mnirh.vbs	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe

Executes dropped EXE 5 IoCs

pid	Process
2924	mnirh.exe
2572	mnirh.exe
2376	FB_5BB7.tmp.exe
2652	FB_5C25.tmp.exe
2664	esfaa.exe

Loads dropped DLL 9 IoCs

pid	Process
1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
2924	mnirh.exe
2572	mnirh.exe
2572	mnirh.exe
2572	mnirh.exe
2572	mnirh.exe
2652	FB_5C25.tmp.exe
2652	FB_5C25.tmp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6513DF34-CE0F-A742-6AFD-EDECF0776727} = "C:\\Users\\Admin\\AppData\\Roaming\\Suzia\\esfaa.exe"	esfaa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 2572	2924	mnirh.exe	29
PID 2652 set thread context of 1144	2652	FB_5C25.tmp.exe	34

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/1684-2-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/files/0x0008000000014714-12.dat	upx
behavioral1/memory/1684-16-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/2924-17-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/2924-18-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/2924-19-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/2924-22-0x0000000000400000-0x00000000005A1000-memory.dmp	upx
behavioral1/memory/2376-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x0007000000014a05-52.dat	upx
behavioral1/memory/2376-542-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_5C25.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnirh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnirh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_5BB7.tmp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy	FB_5BB7.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	FB_5BB7.tmp.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\04FA04D8-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe
2664	esfaa.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2652	FB_5C25.tmp.exe
Token: SeIncreaseQuotaPrivilege	2376	FB_5BB7.tmp.exe
Token: SeSecurityPrivilege	2376	FB_5BB7.tmp.exe
Token: SeTakeOwnershipPrivilege	2376	FB_5BB7.tmp.exe
Token: SeLoadDriverPrivilege	2376	FB_5BB7.tmp.exe
Token: SeSystemProfilePrivilege	2376	FB_5BB7.tmp.exe
Token: SeSystemtimePrivilege	2376	FB_5BB7.tmp.exe
Token: SeProfSingleProcessPrivilege	2376	FB_5BB7.tmp.exe
Token: SeIncBasePriorityPrivilege	2376	FB_5BB7.tmp.exe
Token: SeCreatePagefilePrivilege	2376	FB_5BB7.tmp.exe
Token: SeBackupPrivilege	2376	FB_5BB7.tmp.exe
Token: SeRestorePrivilege	2376	FB_5BB7.tmp.exe
Token: SeShutdownPrivilege	2376	FB_5BB7.tmp.exe
Token: SeDebugPrivilege	2376	FB_5BB7.tmp.exe
Token: SeSystemEnvironmentPrivilege	2376	FB_5BB7.tmp.exe
Token: SeChangeNotifyPrivilege	2376	FB_5BB7.tmp.exe
Token: SeRemoteShutdownPrivilege	2376	FB_5BB7.tmp.exe
Token: SeUndockPrivilege	2376	FB_5BB7.tmp.exe
Token: SeManageVolumePrivilege	2376	FB_5BB7.tmp.exe
Token: SeImpersonatePrivilege	2376	FB_5BB7.tmp.exe
Token: SeCreateGlobalPrivilege	2376	FB_5BB7.tmp.exe
Token: 33	2376	FB_5BB7.tmp.exe
Token: 34	2376	FB_5BB7.tmp.exe
Token: 35	2376	FB_5BB7.tmp.exe
Token: SeSecurityPrivilege	2376	FB_5BB7.tmp.exe
Token: SeSecurityPrivilege	2376	FB_5BB7.tmp.exe
Token: SeManageVolumePrivilege	2884	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2884	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2884	WinMail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	FB_5BB7.tmp.exe
2884	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2924	1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	28
PID 1684 wrote to memory of 2924	1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	28
PID 1684 wrote to memory of 2924	1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	28
PID 1684 wrote to memory of 2924	1684	JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe	28
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2924 wrote to memory of 2572	2924	mnirh.exe	29
PID 2572 wrote to memory of 2376	2572	mnirh.exe	30
PID 2572 wrote to memory of 2376	2572	mnirh.exe	30
PID 2572 wrote to memory of 2376	2572	mnirh.exe	30
PID 2572 wrote to memory of 2376	2572	mnirh.exe	30
PID 2572 wrote to memory of 2652	2572	mnirh.exe	31
PID 2572 wrote to memory of 2652	2572	mnirh.exe	31
PID 2572 wrote to memory of 2652	2572	mnirh.exe	31
PID 2572 wrote to memory of 2652	2572	mnirh.exe	31
PID 2652 wrote to memory of 2664	2652	FB_5C25.tmp.exe	32
PID 2652 wrote to memory of 2664	2652	FB_5C25.tmp.exe	32
PID 2652 wrote to memory of 2664	2652	FB_5C25.tmp.exe	32
PID 2652 wrote to memory of 2664	2652	FB_5C25.tmp.exe	32
PID 2664 wrote to memory of 1120	2664	esfaa.exe	19
PID 2664 wrote to memory of 1120	2664	esfaa.exe	19
PID 2664 wrote to memory of 1120	2664	esfaa.exe	19
PID 2664 wrote to memory of 1120	2664	esfaa.exe	19
PID 2664 wrote to memory of 1120	2664	esfaa.exe	19
PID 2664 wrote to memory of 1164	2664	esfaa.exe	20
PID 2664 wrote to memory of 1164	2664	esfaa.exe	20
PID 2664 wrote to memory of 1164	2664	esfaa.exe	20
PID 2664 wrote to memory of 1164	2664	esfaa.exe	20
PID 2664 wrote to memory of 1164	2664	esfaa.exe	20
PID 2664 wrote to memory of 1200	2664	esfaa.exe	21
PID 2664 wrote to memory of 1200	2664	esfaa.exe	21
PID 2664 wrote to memory of 1200	2664	esfaa.exe	21
PID 2664 wrote to memory of 1200	2664	esfaa.exe	21
PID 2664 wrote to memory of 1200	2664	esfaa.exe	21
PID 2664 wrote to memory of 1624	2664	esfaa.exe	23
PID 2664 wrote to memory of 1624	2664	esfaa.exe	23
PID 2664 wrote to memory of 1624	2664	esfaa.exe	23
PID 2664 wrote to memory of 1624	2664	esfaa.exe	23
PID 2664 wrote to memory of 1624	2664	esfaa.exe	23
PID 2664 wrote to memory of 2376	2664	esfaa.exe	30
PID 2664 wrote to memory of 2376	2664	esfaa.exe	30
PID 2664 wrote to memory of 2376	2664	esfaa.exe	30
PID 2664 wrote to memory of 2376	2664	esfaa.exe	30
PID 2664 wrote to memory of 2376	2664	esfaa.exe	30
PID 2664 wrote to memory of 2652	2664	esfaa.exe	31
PID 2664 wrote to memory of 2652	2664	esfaa.exe	31
PID 2664 wrote to memory of 2652	2664	esfaa.exe	31
PID 2664 wrote to memory of 2652	2664	esfaa.exe	31
PID 2664 wrote to memory of 2652	2664	esfaa.exe	31
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34
PID 2652 wrote to memory of 1144	2652	FB_5C25.tmp.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55b2a24013188c8edd410d3feef91291.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe
    "C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe
      "C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\FB_5BB7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FB_5BB7.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\FB_5C25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FB_5C25.tmp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Users\Admin\AppData\Roaming\Suzia\esfaa.exe
        
        "C:\Users\Admin\AppData\Roaming\Suzia\esfaa.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp62673db0.bat"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1624

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
5e6a057d6042c5ee3b3a010f7806262d

SHA1
4f362b13712c5a24e4db6badcf091271f1ac0d0e

SHA256
4cc1d748fc40e51c9f4b17fc77837d05f05148c490512187cb51b9bd33ae82bc

SHA512
9a7d1af7aa146914ce01e028b5b834c86f98a06f6963fa655ead1a0c773fe4ce6225de0f7a76193d5d2b6a66d8dcf7b2f6f08b2064993ef4428647ee93540776

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5BB7.tmp.exe

Filesize
232KB

MD5
9893e6b5c05fe1235064e40c1ee45a3a

SHA1
fcdac4f8f899d34dbeae55dc23cbff4e332c87d8

SHA256
ed29717345c12eec41322173b1b0fe198ae3eb94eacd2b5055fc3613ef7a37ae

SHA512
ced3414101a47f3ba438c9943f42855f2eed360493ff30afbfedfdf22f97c2f1005a7d86fa9a65adb12ee28f514d27702739bf399786c2365d298aff11d980b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5C25.tmp.exe

Filesize
138KB

MD5
8325311ef585133d81164f7d0ae895db

SHA1
babd91d840a0ff704f9b9aca66f2537cb3569a1d

SHA256
f2a5085b2d81c0f41ab980f3be0631f2bb05622df085308dc3bcadb1ed7d69f5

SHA512
e97dc85a4b9d0fd871411d7e8808cbb29461ffb3951e7edec10ece98a0c1948d82cc35e26a8a56b64e7e4769cc0b3ec5f6983e8f27d7e234d49e85f0c2715287

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62673db0.bat

Filesize
201B

MD5
1f79f16e960d7e1a14d82ef3cccd3c96

SHA1
80973c0c6b1957857c82ddbc73c3568c50da8a53

SHA256
3960ffca1d5fb4b362033c06baf8ce6c83e7e2d4e0d5f85b05ede8d1d3d11676

SHA512
64ec67c836abc2ee6a06b9e03cd1e625c1256ee8565260d08d0ff58a2a537e6b1102f61f75b41781428a569b85049b62d235b24b9eb776d9557e9660f229d171

Download Submit
C:\Users\Admin\AppData\Roaming\Xuupov\ycxyz.imu

Filesize
345B

MD5
8df83bb8f8b8047d3fca2ce7d2702a65

SHA1
e0b08f62ee944812eb03269b251e8f7ee245f81e

SHA256
286c588f196d8a5ce5c5698490f8336f2fb2844be970708867ce8ebeb434cf98

SHA512
2f6d64c405ab7df2ba7d8627f3974e94dd6696783cdca90c330f03cc95774cbe6c6c8d680b0e5d894feee510b2d27359d6e54af766ea27d1319f8a528d6a8a01

Download Submit
C:\Users\Admin\AppData\Roaming\mnirh\mnirh.exe

Filesize
929KB

MD5
55b2a24013188c8edd410d3feef91291

SHA1
4b61c2e4ceb1bec720865285343d6dbdf31191fe

SHA256
56d44f1bc684d5b24308fdcf2cc9e25adbe7a96f170900e978f2120a6f10f826

SHA512
fec50faedf68bbe02a33c4bc8a4abef50b0fbb8d9ecd0c15f2695e48234b2cbaa382782c322d5778c7840c20a7f927439ef5c1fedbe29924f436fec8c647800b

Download Submit
\Users\Admin\AppData\Roaming\Suzia\esfaa.exe

Filesize
138KB

MD5
1d60db5bd802ab0c914f50fa106b7ece

SHA1
f0f9b495a4b9ca0706c80e8efebfa5110ca167bd

SHA256
4f3ec02630c84505ecace280983f70542416101992ef83fd11227bf830262a26

SHA512
49d381dca3280638ebe5a15c7af17287e99690461413784bbac8bf88a202e835b25a09cc1940b5225a98bb7c6a8cc1fbbd34e09d64e2747ce59c143113462777

Download Submit
memory/1120-84-0x00000000020B0000-0x00000000020D7000-memory.dmp

Filesize
156KB

Download
memory/1120-78-0x00000000020B0000-0x00000000020D7000-memory.dmp

Filesize
156KB

Download
memory/1120-82-0x00000000020B0000-0x00000000020D7000-memory.dmp

Filesize
156KB

Download
memory/1120-80-0x00000000020B0000-0x00000000020D7000-memory.dmp

Filesize
156KB

Download
memory/1120-76-0x00000000020B0000-0x00000000020D7000-memory.dmp

Filesize
156KB

Download
memory/1164-94-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1164-88-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1164-90-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1164-92-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1200-98-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/1200-102-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/1200-104-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/1200-100-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/1624-112-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1624-114-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1624-110-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1624-108-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1684-2-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1684-6-0x0000000000491000-0x0000000000496000-memory.dmp

Filesize
20KB

Download
memory/1684-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-0-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1684-16-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1684-14-0x00000000031A0000-0x0000000003341000-memory.dmp

Filesize
1.6MB

Download
memory/2376-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2376-542-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2376-118-0x0000000003810000-0x0000000003837000-memory.dmp

Filesize
156KB

Download
memory/2572-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-45-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/2572-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-25-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-30-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-51-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/2572-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-38-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-41-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2924-22-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2924-19-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2924-18-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2924-17-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download