darkcomet | 0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867

Analysis

max time kernel
78s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2025, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe
Size

683KB
MD5

9dd53b03345030bc7decf3adbe608ce7
SHA1

5999c980dfb72ed83cb4196a310cf2896650f997
SHA256

0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867
SHA512

a904e90ed7c076de06a2deaf929cbd0f63844c6a09664f068d1b2c41e34ab3cad365339de3e6868cc43de38d5246ac6749ee596883e9a720573043e4f7a36f5a
SSDEEP

12288:cQ2T1tTzrnmsm81wCfvXsKbDTo7E3TlQCGVUPShkQ2lE1ToXi7SnATyQYzTa3mY:crT1t3dd8KvTo7E3TPOUPSaA1Tt7hTyC

Score

10^/10

darkcomet guest16 credential_access defense_evasion discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

startpc.localto.net:5139

Mutex

DC_MUTEX-YNHY3V1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
bbBGhWmhMoJH
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	test.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
380	attrib.exe
4540	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	test.exe

Executes dropped EXE 4 IoCs

pid	Process
2176	server.exe
4416	test3.exe
3092	test.exe
1056	msdcsc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000240f4-29.dat	upx
behavioral1/memory/3092-47-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-122-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/3092-128-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-161-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-166-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-171-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-176-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-181-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-186-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/1056-191-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	test.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	powershell.exe
2300	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1056	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3092	test.exe
Token: SeSecurityPrivilege	3092	test.exe
Token: SeTakeOwnershipPrivilege	3092	test.exe
Token: SeLoadDriverPrivilege	3092	test.exe
Token: SeSystemProfilePrivilege	3092	test.exe
Token: SeSystemtimePrivilege	3092	test.exe
Token: SeProfSingleProcessPrivilege	3092	test.exe
Token: SeIncBasePriorityPrivilege	3092	test.exe
Token: SeCreatePagefilePrivilege	3092	test.exe
Token: SeBackupPrivilege	3092	test.exe
Token: SeRestorePrivilege	3092	test.exe
Token: SeShutdownPrivilege	3092	test.exe
Token: SeDebugPrivilege	3092	test.exe
Token: SeSystemEnvironmentPrivilege	3092	test.exe
Token: SeChangeNotifyPrivilege	3092	test.exe
Token: SeRemoteShutdownPrivilege	3092	test.exe
Token: SeUndockPrivilege	3092	test.exe
Token: SeManageVolumePrivilege	3092	test.exe
Token: SeImpersonatePrivilege	3092	test.exe
Token: SeCreateGlobalPrivilege	3092	test.exe
Token: 33	3092	test.exe
Token: 34	3092	test.exe
Token: 35	3092	test.exe
Token: 36	3092	test.exe
Token: SeDebugPrivilege	4416	test3.exe
Token: 33	4416	test3.exe
Token: SeIncBasePriorityPrivilege	4416	test3.exe
Token: SeDebugPrivilege	4416	test3.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	1056	msdcsc.exe
Token: SeSecurityPrivilege	1056	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1056	msdcsc.exe
Token: SeLoadDriverPrivilege	1056	msdcsc.exe
Token: SeSystemProfilePrivilege	1056	msdcsc.exe
Token: SeSystemtimePrivilege	1056	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1056	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1056	msdcsc.exe
Token: SeCreatePagefilePrivilege	1056	msdcsc.exe
Token: SeBackupPrivilege	1056	msdcsc.exe
Token: SeRestorePrivilege	1056	msdcsc.exe
Token: SeShutdownPrivilege	1056	msdcsc.exe
Token: SeDebugPrivilege	1056	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1056	msdcsc.exe
Token: SeChangeNotifyPrivilege	1056	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1056	msdcsc.exe
Token: SeUndockPrivilege	1056	msdcsc.exe
Token: SeManageVolumePrivilege	1056	msdcsc.exe
Token: SeImpersonatePrivilege	1056	msdcsc.exe
Token: SeCreateGlobalPrivilege	1056	msdcsc.exe
Token: 33	1056	msdcsc.exe
Token: 34	1056	msdcsc.exe
Token: 35	1056	msdcsc.exe
Token: 36	1056	msdcsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2176	server.exe
2176	server.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4416	test3.exe
4416	test3.exe
1056	msdcsc.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2300	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	86
PID 2428 wrote to memory of 2300	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	86
PID 2428 wrote to memory of 2300	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	86
PID 2428 wrote to memory of 2176	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	88
PID 2428 wrote to memory of 2176	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	88
PID 2428 wrote to memory of 4416	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	90
PID 2428 wrote to memory of 4416	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	90
PID 2428 wrote to memory of 3092	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	91
PID 2428 wrote to memory of 3092	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	91
PID 2428 wrote to memory of 3092	2428	0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe	91
PID 3092 wrote to memory of 1812	3092	test.exe	92
PID 3092 wrote to memory of 1812	3092	test.exe	92
PID 3092 wrote to memory of 1812	3092	test.exe	92
PID 3092 wrote to memory of 3464	3092	test.exe	93
PID 3092 wrote to memory of 3464	3092	test.exe	93
PID 3092 wrote to memory of 3464	3092	test.exe	93
PID 3092 wrote to memory of 1056	3092	test.exe	96
PID 3092 wrote to memory of 1056	3092	test.exe	96
PID 3092 wrote to memory of 1056	3092	test.exe	96
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1056 wrote to memory of 3440	1056	msdcsc.exe	97
PID 1812 wrote to memory of 380	1812	cmd.exe	98
PID 1812 wrote to memory of 380	1812	cmd.exe	98
PID 1812 wrote to memory of 380	1812	cmd.exe	98
PID 3464 wrote to memory of 4540	3464	cmd.exe	99
PID 3464 wrote to memory of 4540	3464	cmd.exe	99
PID 3464 wrote to memory of 4540	3464	cmd.exe	99

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
380	attrib.exe
4540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe
"C:\Users\Admin\AppData\Local\Temp\0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYQBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAdgBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdQBmACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\test3.exe
  "C:\Users\Admin\AppData\Local\Temp\test3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4540
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_alo4jg2l.t00.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
159KB

MD5
0e660b30cdd6af759d3f9bf8e570a125

SHA1
f23d8f22ebaeee3b11983d7fd2803cc2c3955fd2

SHA256
300a6ae4e7f47e9045949851a959c0f6033d06a407a710c769ef4f0361b3a1d2

SHA512
f88977adb9f8315690902504b1f80528294bad7dbc5362900b4771db76602325b4888df599d652608b2dbfc540a7c8d3d1fc868b86542aa6f39b6f3c53bf1c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
349KB

MD5
1fe0b8aa29f9146f20034ea25a9de0f7

SHA1
e39dfaf4ebfcb2d9f3304288915cc3b0cb04cbb8

SHA256
450d5092c67ae98f01cc40c5ebadb16b7740c7459eba002bcdf9d3e56ccab337

SHA512
b69066a1bac7ddf91719503e41f2bd823d617646c140c52ea930d61a6990ee99fb02de5802b2797cb88c984a235422f5bdf2922db548c37f9e146c75997c154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3.exe

Filesize
168KB

MD5
3ddeaa6023c5b94e2273e53b65919c24

SHA1
0f2fe2f4c678ce8c461e9638607ffc2b2c65ce8b

SHA256
4f64157060de47971225f0762f1ebf16d6e70bbd5bf98fa7d14c6d3167e00728

SHA512
91ea7f7f55e9e616946e079e98501b1bec07e52ae0be41fd3d59b41a35cc573949205c9bb5cd35915d7b2abf5f15e50b9d2f5ee8c94c73fbf024d02c4c6b0de8

Download Submit
memory/1056-166-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-186-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-122-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-191-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-181-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-161-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-171-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1056-176-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2176-45-0x000000001C890000-0x000000001C8DC000-memory.dmp

Filesize
304KB

Download
memory/2176-41-0x00000000015D0000-0x00000000015D8000-memory.dmp

Filesize
32KB

Download
memory/2176-44-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/2176-31-0x000000001BBD0000-0x000000001BC76000-memory.dmp

Filesize
664KB

Download
memory/2176-40-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/2176-46-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/2176-157-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/2176-126-0x000000001F3D0000-0x000000001F6DE000-memory.dmp

Filesize
3.1MB

Download
memory/2176-34-0x000000001C730000-0x000000001C7CC000-memory.dmp

Filesize
624KB

Download
memory/2176-33-0x000000001C150000-0x000000001C61E000-memory.dmp

Filesize
4.8MB

Download
memory/2300-124-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/2300-146-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/2300-38-0x0000000004ED0000-0x0000000004F06000-memory.dmp

Filesize
216KB

Download
memory/2300-104-0x0000000005CB0000-0x0000000005CD2000-memory.dmp

Filesize
136KB

Download
memory/2300-125-0x0000000006480000-0x00000000064CC000-memory.dmp

Filesize
304KB

Download
memory/2300-105-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/2300-43-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/2300-129-0x0000000006A10000-0x0000000006A42000-memory.dmp

Filesize
200KB

Download
memory/2300-140-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/2300-130-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/2300-141-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/2300-142-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/2300-143-0x0000000007770000-0x000000000778A000-memory.dmp

Filesize
104KB

Download
memory/2300-144-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/2300-145-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/2300-108-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-147-0x00000000079B0000-0x00000000079BE000-memory.dmp

Filesize
56KB

Download
memory/2300-148-0x00000000079C0000-0x00000000079D4000-memory.dmp

Filesize
80KB

Download
memory/2300-149-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/2300-150-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/2300-106-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/3092-47-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3092-128-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3440-123-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4416-156-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/4416-155-0x00007FFE5C365000-0x00007FFE5C366000-memory.dmp

Filesize
4KB

Download
memory/4416-160-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/4416-96-0x000000001CDE0000-0x000000001CE42000-memory.dmp

Filesize
392KB

Download
memory/4416-97-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/4416-32-0x00007FFE5C0B0000-0x00007FFE5CA51000-memory.dmp

Filesize
9.6MB

Download
memory/4416-22-0x00007FFE5C365000-0x00007FFE5C366000-memory.dmp

Filesize
4KB

Download