darkcomet | d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e

Analysis

max time kernel
153s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Size

283KB
MD5

78827ea6267d6e13deeaabf83c564a30
SHA1

358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA512

3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
SSDEEP

6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37C:FcW7KEZlPzCy37C

Score

10^/10

darkcomet hack evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Hack

slimeftp.ddns.net:1604

Mutex

DC_MUTEX-QPDTQVV

Attributes

InstallPath
friedhost.exe
gencode
N9ngM7z9Ub0y
install
true
offline_keylogger
true
persistence
false
reg_key
friedhost.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe"	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

friedhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	friedhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	friedhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	friedhost.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

friedhost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" friedhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	friedhost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

friedhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	friedhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	friedhost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

friedhost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	friedhost.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

friedhost.exe

pid process

1076 friedhost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

840 attrib.exe
1044 attrib.exe

pid	process
1076	friedhost.exe

pid	process
840	attrib.exe
1044	attrib.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1980-55-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
\Users\Admin\AppData\Roaming\friedhost.exe	upx
\Users\Admin\AppData\Roaming\friedhost.exe	upx
C:\Users\Admin\AppData\Roaming\friedhost.exe	upx
C:\Users\Admin\AppData\Roaming\friedhost.exe	upx
behavioral1/memory/1076-69-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/1980-70-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/1076-71-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

pid	process
1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

friedhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	friedhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	friedhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\friedhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe"	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exefriedhost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeSecurityPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeTakeOwnershipPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeLoadDriverPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeSystemProfilePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeSystemtimePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeProfSingleProcessPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeIncBasePriorityPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeCreatePagefilePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeBackupPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeRestorePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeShutdownPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeDebugPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeSystemEnvironmentPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeChangeNotifyPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeRemoteShutdownPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeUndockPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeManageVolumePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeImpersonatePrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeCreateGlobalPrivilege	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: 33	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: 34	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: 35	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Token: SeIncreaseQuotaPrivilege	1076	friedhost.exe
Token: SeSecurityPrivilege	1076	friedhost.exe
Token: SeTakeOwnershipPrivilege	1076	friedhost.exe
Token: SeLoadDriverPrivilege	1076	friedhost.exe
Token: SeSystemProfilePrivilege	1076	friedhost.exe
Token: SeSystemtimePrivilege	1076	friedhost.exe
Token: SeProfSingleProcessPrivilege	1076	friedhost.exe
Token: SeIncBasePriorityPrivilege	1076	friedhost.exe
Token: SeCreatePagefilePrivilege	1076	friedhost.exe
Token: SeBackupPrivilege	1076	friedhost.exe
Token: SeRestorePrivilege	1076	friedhost.exe
Token: SeShutdownPrivilege	1076	friedhost.exe
Token: SeDebugPrivilege	1076	friedhost.exe
Token: SeSystemEnvironmentPrivilege	1076	friedhost.exe
Token: SeChangeNotifyPrivilege	1076	friedhost.exe
Token: SeRemoteShutdownPrivilege	1076	friedhost.exe
Token: SeUndockPrivilege	1076	friedhost.exe
Token: SeManageVolumePrivilege	1076	friedhost.exe
Token: SeImpersonatePrivilege	1076	friedhost.exe
Token: SeCreateGlobalPrivilege	1076	friedhost.exe
Token: 33	1076	friedhost.exe
Token: 34	1076	friedhost.exe
Token: 35	1076	friedhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

friedhost.exe

pid process

1076 friedhost.exe

pid	process
1076	friedhost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.execmd.execmd.exefriedhost.exe

description	pid	process	target process
PID 1980 wrote to memory of 1296	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1296	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1296	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1296	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1252	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1252	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1252	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1980 wrote to memory of 1252	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	cmd.exe
PID 1296 wrote to memory of 840	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 840	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 840	1296	cmd.exe	attrib.exe
PID 1296 wrote to memory of 840	1296	cmd.exe	attrib.exe
PID 1252 wrote to memory of 1044	1252	cmd.exe	attrib.exe
PID 1252 wrote to memory of 1044	1252	cmd.exe	attrib.exe
PID 1252 wrote to memory of 1044	1252	cmd.exe	attrib.exe
PID 1252 wrote to memory of 1044	1252	cmd.exe	attrib.exe
PID 1980 wrote to memory of 1076	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	friedhost.exe
PID 1980 wrote to memory of 1076	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	friedhost.exe
PID 1980 wrote to memory of 1076	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	friedhost.exe
PID 1980 wrote to memory of 1076	1980	d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe	friedhost.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe
PID 1076 wrote to memory of 520	1076	friedhost.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

friedhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	friedhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	friedhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	friedhost.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

840 attrib.exe
1044 attrib.exe

pid	process
840	attrib.exe
1044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
"C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1044

C:\Users\Admin\AppData\Roaming\friedhost.exe
"C:\Users\Admin\AppData\Roaming\friedhost.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1076

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\friedhost.exe
Filesize
283KB

MD5
78827ea6267d6e13deeaabf83c564a30

SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793

SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e

SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74

Download Submit
C:\Users\Admin\AppData\Roaming\friedhost.exe
Filesize
283KB

MD5
78827ea6267d6e13deeaabf83c564a30

SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793

SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e

SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74

Download Submit
\Users\Admin\AppData\Roaming\friedhost.exe
Filesize
283KB

MD5
78827ea6267d6e13deeaabf83c564a30

SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793

SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e

SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74

Download Submit
\Users\Admin\AppData\Roaming\friedhost.exe
Filesize
283KB

MD5
78827ea6267d6e13deeaabf83c564a30

SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793

SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e

SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74

Download Submit
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/840-58-0x0000000000000000-mapping.dmp

Download
memory/1044-59-0x0000000000000000-mapping.dmp

Download
memory/1076-62-0x0000000000000000-mapping.dmp

Download
memory/1076-69-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1076-71-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1252-57-0x0000000000000000-mapping.dmp

Download
memory/1296-56-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1980-68-0x00000000032C0000-0x0000000003387000-memory.dmp

Filesize
796KB

Download
memory/1980-70-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download