darkcomet | d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

Analysis

max time kernel
191s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Size

1020KB
MD5

6eb8c9e5bdefba159845ea5a03cd83fb
SHA1

add104b21b3064c7d2b465c0f02ac32d9880d43e
SHA256

d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd
SHA512

1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952
SSDEEP

24576:9VUkyvjjmr0Jc8+U9h8qkLl54LWyzaSfuRfDasGIy/EnyiZOQc:3UkMEVU9h2ZiPzaSmRrfWEnrZNc

Score

10^/10

darkcomet ganzneu rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Ganzneu

windowshomesetup.no-ip.biz:8088

Mutex

DC_MUTEX-DL446XT

Attributes

gencode
CzbzF2gzTSH5
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
604	csrss.exe

Loads dropped DLL 8 IoCs

pid	Process
1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe
604	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	csrss.exe
Token: SeIncreaseQuotaPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSecurityPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeTakeOwnershipPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeLoadDriverPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemProfilePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemtimePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeProfSingleProcessPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeIncBasePriorityPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeCreatePagefilePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeBackupPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeRestorePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeShutdownPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeDebugPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemEnvironmentPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeChangeNotifyPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeRemoteShutdownPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeUndockPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeManageVolumePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeImpersonatePrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeCreateGlobalPrivilege	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 33	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 34	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 35	516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
516	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 1136	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	28
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 516	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	30
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31
PID 1908 wrote to memory of 604	1908	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	31

C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
"C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\629868978.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
  "C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:516
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -proc 516 C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\629868978.xml

Filesize
1KB

MD5
e70b424be13cb839317017bd08c09f4f

SHA1
2eb5405546830d5b40546dbdaa71fda0c2b1ffc6

SHA256
16f62d2845aeb2457086c2dc69c110d551d7a6082f6ddd6496790f2386d75404

SHA512
8ab435a026089449b46ffc67848b891daa8c8c8b0c0ef61570201b4a624584cb112b9c482dd5fdde9b40c7c353f88d2cf41b00df2ddd52ff7555cfd7b7b650b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
memory/516-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-108-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-84-0x000000000048F888-mapping.dmp

Download
memory/516-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-106-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-105-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/516-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/604-98-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/604-104-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/604-90-0x0000000000000000-mapping.dmp

Download
memory/604-107-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-56-0x0000000000000000-mapping.dmp

Download
memory/1908-97-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-55-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1908-85-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download