darkcomet | adbc98dac44fb8972064a49ebb3112bd4fd0cdee6717a19bcc18553321a068d6

Resubmissions

14-01-2025 09:16

250114-k8rx4awkhr 3

14-01-2025 06:28

250114-g8nnwszkbz 10

09-10-2022 16:10

221009-tmc2gshdbp 10

Analysis

max time kernel
190s
max time network
190s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-01-2025 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkComet_-_v.5.3.1_FWB.zip
Size

15.2MB
MD5

2198e442609a28a84653d700ef1fb501
SHA1

c6caa5d1b457de542f04d5845d67c5c7676db148
SHA256

adbc98dac44fb8972064a49ebb3112bd4fd0cdee6717a19bcc18553321a068d6
SHA512

cff1a782b912a44af8ab12770b2a76dd494ae8fdc596b0c7f67ff1e2902f72cdf3807a6675dec4972ed7459bd1c47eaa839c7fb04fa4004b2214de0f1965bdf7
SSDEEP

393216:uFj55EAdqMASOu3kIxQbtTXQpeaFmPxwX+8uKzk:uFF5dmSONxbtTAkaF0o+80

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

dnsali.3utilities.com:1604

Mutex

DC_MUTEX-S3VT824

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
aedfreoKqqaC
install
true
offline_keylogger
true
password
12022005
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	DarkComet - v.5.3.1 FWB.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\Control Panel\International\Geo\Nation	DarkComet - v.5.3.1 FWB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\Control Panel\International\Geo\Nation	DarkComet - v.5.3.1 FWB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\Control Panel\International\Geo\Nation	DarkComet - v.5.3.1 FWB.exe

Executes dropped EXE 7 IoCs

pid	Process
3004	DarkComet - v.5.3.1 FWB.exe
548	DarkComet - v.5.3.1 FWB.exe
4696	DarkComet - v.5.3.1 FWB.exe
2836	msdcsc.exe
4508	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe
3544	DarkComet - v.5.3.1 FWB.exe

Loads dropped DLL 1 IoCs

pid	Process
4416	DarkComet - v.5.3.1 FWB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	DarkComet - v.5.3.1 FWB.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	DarkComet - v.5.3.1 FWB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	DarkComet - v.5.3.1 FWB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	DarkComet - v.5.3.1 FWB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet - v.5.3.1 FWB.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	DarkComet - v.5.3.1 FWB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	DarkComet - v.5.3.1 FWB.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3344	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3344	7zFM.exe
Token: 35	3344	7zFM.exe
Token: SeShutdownPrivilege	328	MusNotification.exe
Token: SeCreatePagefilePrivilege	328	MusNotification.exe
Token: SeSecurityPrivilege	3344	7zFM.exe
Token: SeIncreaseQuotaPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeSecurityPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeTakeOwnershipPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeLoadDriverPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeSystemProfilePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeSystemtimePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeProfSingleProcessPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeIncBasePriorityPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeCreatePagefilePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeBackupPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeRestorePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeShutdownPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeDebugPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeSystemEnvironmentPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeChangeNotifyPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeRemoteShutdownPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeUndockPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeManageVolumePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeImpersonatePrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeCreateGlobalPrivilege	4696	DarkComet - v.5.3.1 FWB.exe
Token: 33	4696	DarkComet - v.5.3.1 FWB.exe
Token: 34	4696	DarkComet - v.5.3.1 FWB.exe
Token: 35	4696	DarkComet - v.5.3.1 FWB.exe
Token: 36	4696	DarkComet - v.5.3.1 FWB.exe
Token: SeIncreaseQuotaPrivilege	2836	msdcsc.exe
Token: SeSecurityPrivilege	2836	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2836	msdcsc.exe
Token: SeLoadDriverPrivilege	2836	msdcsc.exe
Token: SeSystemProfilePrivilege	2836	msdcsc.exe
Token: SeSystemtimePrivilege	2836	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2836	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2836	msdcsc.exe
Token: SeCreatePagefilePrivilege	2836	msdcsc.exe
Token: SeBackupPrivilege	2836	msdcsc.exe
Token: SeRestorePrivilege	2836	msdcsc.exe
Token: SeShutdownPrivilege	2836	msdcsc.exe
Token: SeDebugPrivilege	2836	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2836	msdcsc.exe
Token: SeChangeNotifyPrivilege	2836	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2836	msdcsc.exe
Token: SeUndockPrivilege	2836	msdcsc.exe
Token: SeManageVolumePrivilege	2836	msdcsc.exe
Token: SeImpersonatePrivilege	2836	msdcsc.exe
Token: SeCreateGlobalPrivilege	2836	msdcsc.exe
Token: 33	2836	msdcsc.exe
Token: 34	2836	msdcsc.exe
Token: 35	2836	msdcsc.exe
Token: 36	2836	msdcsc.exe
Token: SeSecurityPrivilege	3344	7zFM.exe
Token: SeSecurityPrivilege	3344	7zFM.exe
Token: SeSecurityPrivilege	3344	7zFM.exe
Token: SeIncreaseQuotaPrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeSecurityPrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeTakeOwnershipPrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeLoadDriverPrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeSystemProfilePrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeSystemtimePrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeProfSingleProcessPrivilege	3544	DarkComet - v.5.3.1 FWB.exe
Token: SeIncBasePriorityPrivilege	3544	DarkComet - v.5.3.1 FWB.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
3344	7zFM.exe
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4696	DarkComet - v.5.3.1 FWB.exe
2836	msdcsc.exe
4416	DarkComet - v.5.3.1 FWB.exe
3544	DarkComet - v.5.3.1 FWB.exe
4416	DarkComet - v.5.3.1 FWB.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3004	3344	7zFM.exe	80
PID 3344 wrote to memory of 3004	3344	7zFM.exe	80
PID 3344 wrote to memory of 3004	3344	7zFM.exe	80
PID 3004 wrote to memory of 548	3004	DarkComet - v.5.3.1 FWB.exe	82
PID 3004 wrote to memory of 548	3004	DarkComet - v.5.3.1 FWB.exe	82
PID 3004 wrote to memory of 548	3004	DarkComet - v.5.3.1 FWB.exe	82
PID 3004 wrote to memory of 4696	3004	DarkComet - v.5.3.1 FWB.exe	83
PID 3004 wrote to memory of 4696	3004	DarkComet - v.5.3.1 FWB.exe	83
PID 3004 wrote to memory of 4696	3004	DarkComet - v.5.3.1 FWB.exe	83
PID 4696 wrote to memory of 2836	4696	DarkComet - v.5.3.1 FWB.exe	84
PID 4696 wrote to memory of 2836	4696	DarkComet - v.5.3.1 FWB.exe	84
PID 4696 wrote to memory of 2836	4696	DarkComet - v.5.3.1 FWB.exe	84
PID 2836 wrote to memory of 1600	2836	msdcsc.exe	85
PID 2836 wrote to memory of 1600	2836	msdcsc.exe	85
PID 2836 wrote to memory of 1600	2836	msdcsc.exe	85
PID 2836 wrote to memory of 1996	2836	msdcsc.exe	86
PID 2836 wrote to memory of 1996	2836	msdcsc.exe	86
PID 4508 wrote to memory of 4416	4508	DarkComet - v.5.3.1 FWB.exe	93
PID 4508 wrote to memory of 4416	4508	DarkComet - v.5.3.1 FWB.exe	93
PID 4508 wrote to memory of 4416	4508	DarkComet - v.5.3.1 FWB.exe	93
PID 4508 wrote to memory of 3544	4508	DarkComet - v.5.3.1 FWB.exe	94
PID 4508 wrote to memory of 3544	4508	DarkComet - v.5.3.1 FWB.exe	94
PID 4508 wrote to memory of 3544	4508	DarkComet - v.5.3.1 FWB.exe	94

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DarkComet_-_v.5.3.1_FWB.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\7zO01D9CB68\DarkComet - v.5.3.1 FWB.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO01D9CB68\DarkComet - v.5.3.1 FWB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\DarkComet - v.5.3.1 FWB.exe
    "C:\Users\Admin\AppData\Local\Temp\DarkComet - v.5.3.1 FWB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:548
- - C:\ProgramData\DarkComet - v.5.3.1 FWB.exe
    "C:\ProgramData\DarkComet - v.5.3.1 FWB.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1600
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:1996

C:\Windows\system32\MusNotification.exe
"C:\Windows\system32\MusNotification.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3392

C:\Users\Admin\Desktop\DarkComet - v.5.3.1 FWB.exe
"C:\Users\Admin\Desktop\DarkComet - v.5.3.1 FWB.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\DarkComet - v.5.3.1 FWB.exe
  "C:\Users\Admin\AppData\Local\Temp\DarkComet - v.5.3.1 FWB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4416
- C:\ProgramData\DarkComet - v.5.3.1 FWB.exe
  "C:\ProgramData\DarkComet - v.5.3.1 FWB.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DarkComet - v.5.3.1 FWB.exe

Filesize
235KB

MD5
6684aeab05cbe09e54a497147f90eed3

SHA1
60c3908dcadd17aad605d242f0a39d9e75d0422b

SHA256
7fc14072ae6b14bc4c3138d2acec5d7797ffd85724fd1322899d607c9070e72c

SHA512
91bb613493b545a7ffa1947476b4b7547d216b73748f84c4f129663b78597edb4e86620cafe4c50496288932fdb5839cfbac435ced822620cc20b76db7c2fd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DarkComet - v.5.3.1 FWB.exe.log

Filesize
520B

MD5
d41cf9c8d3035f4593d048d73ff56a5c

SHA1
0c469efc74c9f2f4e3378633aaa739d9a6e92387

SHA256
330bb64ceb6ec5e71af53c4aa587f41c17898cd2840845acafb8c1d49d93cffa

SHA512
3f165f62fc7399b7383613a0c477de36953c9c8eb5a6af934c56917c7be78f687c899ae9580529de1072343d9a795c0faec1808936073e2b0305b44e83e3917e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01D9CB68\DarkComet - v.5.3.1 FWB.exe

Filesize
17.4MB

MD5
c024f8b0b4261b9be1b91c6ade2dda7c

SHA1
4906f7060ab6480b74f7595c35d980c6362fc5b2

SHA256
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4

SHA512
0ad21960063804c974f09dc7043e9ed4f0769387bab72e391dc2d51ad0a01e385a5b00c6047ec9c7907023aebeb3d61b7725052c7d980a607e220222eb760d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DarkComet - v.5.3.1 FWB.exe

Filesize
11.3MB

MD5
d761f3aa64064a706a521ba14d0f8741

SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb

SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GeoIP.dat

Filesize
1.1MB

MD5
b64ea0c3e9617ccd2f22d8568676a325

SHA1
f8395bace374acb3596c0feea0edf9b12a41a7b5

SHA256
432e12e688449c2cf1b184c94e2e964f9e09398c194888a7fe1a5b1f8cf3059b

SHA512
9301821636655e14e54ddb47585efde3a98dabeaad97441500db832b52c1ff065bd51657258bd2dbf98679d6b711c48abc08d1cf9d282b6fac3c697cf50b1dd2

Download Submit
C:\Users\Admin\Desktop\sqlite3.dll

Filesize
510KB

MD5
d3979db259f55d59b4edb327673c1905

SHA1
0697e8f35b5951c61a3a632d74fd96843c941628

SHA256
043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a

SHA512
0b87c89aafd3e627c7d6bed0b833601fea1917a76a972061f32a2d9e4aa2e9e85b5e8a67cb330ca44aff17915d0fe2793798451a109d3f0b5014eed06b73bb45

Download Submit
memory/2836-108-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-230-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-102-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-103-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-104-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-107-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-226-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-119-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-120-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-121-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-224-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2836-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3004-18-0x00000000065A0000-0x000000000712C000-memory.dmp

Filesize
11.5MB

Download
memory/3004-17-0x0000000000950000-0x0000000001AB2000-memory.dmp

Filesize
17.4MB

Download
memory/3004-16-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/3004-19-0x00000000086E0000-0x0000000008C86000-memory.dmp

Filesize
5.6MB

Download
memory/3544-220-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4416-225-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4416-229-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4416-231-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4696-98-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4696-101-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download