darkcomet | 86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a

Analysis

max time kernel
179s
max time network
107s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
Size

418KB
MD5

bf67fdf8fe29e6ec7308291511249a6e
SHA1

b73c218ad338e3e8be83ef51e30c4f510e1d877c
SHA256

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a
SHA512

11a13d788bdd8f34fd5bf852a090f2e7a96e18805da34d4d7d8ae94fdf494a4ee45601f43ea5fe2ba407c3776f81bb8ededa2a320d2390bf997b61a01ba74364
SSDEEP

12288:dey7BmWevJzUEWTBJ6fJGZ4JQLvISG6Ly1KsoPATVh9F4:dV7BmhzUEWCfJGRLn8Kj

Score

10^/10

darkcomet 1st persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

1ST

imohi999.zapto.org:1604

Mutex

DC_MUTEX-6F9QUAU

Attributes

gencode
laeZe1tFmb5q
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1140-87-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-89-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-90-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-97-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-98-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1140-99-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xKfDLGMrkFHNie = "C:\\Users\\Admin\\AppData\\Roaming\\FfABsZaVqmgsyb.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe

description	pid	process	target process
PID 1500 set thread context of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 set thread context of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe:ZONE.identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
Token: SeIncreaseQuotaPrivilege	1140	vbc.exe
Token: SeSecurityPrivilege	1140	vbc.exe
Token: SeTakeOwnershipPrivilege	1140	vbc.exe
Token: SeLoadDriverPrivilege	1140	vbc.exe
Token: SeSystemProfilePrivilege	1140	vbc.exe
Token: SeSystemtimePrivilege	1140	vbc.exe
Token: SeProfSingleProcessPrivilege	1140	vbc.exe
Token: SeIncBasePriorityPrivilege	1140	vbc.exe
Token: SeCreatePagefilePrivilege	1140	vbc.exe
Token: SeBackupPrivilege	1140	vbc.exe
Token: SeRestorePrivilege	1140	vbc.exe
Token: SeShutdownPrivilege	1140	vbc.exe
Token: SeDebugPrivilege	1140	vbc.exe
Token: SeSystemEnvironmentPrivilege	1140	vbc.exe
Token: SeChangeNotifyPrivilege	1140	vbc.exe
Token: SeRemoteShutdownPrivilege	1140	vbc.exe
Token: SeUndockPrivilege	1140	vbc.exe
Token: SeManageVolumePrivilege	1140	vbc.exe
Token: SeImpersonatePrivilege	1140	vbc.exe
Token: SeCreateGlobalPrivilege	1140	vbc.exe
Token: 33	1140	vbc.exe
Token: 34	1140	vbc.exe
Token: 35	1140	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1980 vbc.exe
1140 vbc.exe

pid	process
1980	vbc.exe
1140	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exevbc.exevbc.exe

description	pid	process	target process
PID 1500 wrote to memory of 1952	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1952	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1952	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1952	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1952 wrote to memory of 112	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 112	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 112	1952	vbc.exe	cvtres.exe
PID 1952 wrote to memory of 112	1952	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1484	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1484	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1484	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1484	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1484 wrote to memory of 2032	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2032	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2032	1484	vbc.exe	cvtres.exe
PID 1484 wrote to memory of 2032	1484	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1980	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1760	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 1500 wrote to memory of 1760	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 1500 wrote to memory of 1760	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 1500 wrote to memory of 1760	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 1500 wrote to memory of 1140	1500	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
"C:\Users\Admin\AppData\Local\Temp\86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0s-gfevf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3A0.tmp"
3⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mgzc4f-.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA787.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA786.tmp"
3⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0s-gfevf.0.vb
Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0s-gfevf.cmdline
Filesize
317B

MD5
ebb03cbf1ed64f1a37aa76668c9ea390

SHA1
5dd7b91864d49dab99b2f713a2d5b8aab3231690

SHA256
d634de128a455fe8efae16add1435702fab59f9cdc8a959e1061f3ac24c7c67a

SHA512
7b210447d9b0b509bcf0a7b0920ab62f17037446fd6f982e1c175a04aa1e58a191dd65996229631c12485a7047a22b3b4bde3d256e7931db43319aac7b75e4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0s-gfevf.dll
Filesize
6KB

MD5
d66e8676a05233c73c1918cb6948266a

SHA1
9c8f778ef0af7ed4f33cfb44dc222d1661ec81ae

SHA256
7bb27e0b0978f6126b020aa908b1a3e0a1dd4dad0ccd8b2160979bd6cc85b6f9

SHA512
738be84260f533c025a839cda0d33775266cfdfabe2340ce3790785f6bcaf8e3cbc602c2f6455e5df3de8db76dfa935ff3d74811183442a9ecce9f4ce1765278

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mgzc4f-.0.vb
Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mgzc4f-.cmdline
Filesize
317B

MD5
eead5fbe2ec472ba6c5ded30561c3556

SHA1
6189bc4f6227b471f0f6644a6e7d5e4eb2f65580

SHA256
28e9f3cefd43bcfd7c4a09981c91e026d5290bdafb50c1576d2defc4d8f135f4

SHA512
c6e0a49f4702a454991169a0c27f714d8e9bb52eecf21aba4507a01ff3294eaf423df5bf76df98798da747433420b161855ce1c6a6964678162d72713dd972d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mgzc4f-.dll
Filesize
6KB

MD5
4a43f65d58e78a3b04c1c22d9dd1d074

SHA1
3edc44fa8dbf84781b3a08813f48734f859fdc4c

SHA256
a2405f35e4b34021dd9f8768f522219f0fb75b2f23004fcffa36463a98de9492

SHA512
678152f6cee63cebda19d851d16b2bcd324309e8e1cfbf2bd71c74ceea6680bdb04a22989489f377e48c6048f39c79598ca1e8cb5ed9211337a7b66c1edb04a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3A1.tmp
Filesize
1KB

MD5
1abd875b4a94dcfca71016c8e082bdd8

SHA1
10439fadfcc088d5c89449aafd8cf67f0113ef10

SHA256
cda73e9529bee50d221a25abcd388f73ea48b86a35461dc81956471933eb9923

SHA512
3b011a86f34171d254f53aced4aa6db61e1423abacf12074585044bb61a4f2fdfac273cc2aed3c3e25d38fc7653c374f6a33bf7501b7afe3179e06b86990e53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA787.tmp
Filesize
1KB

MD5
38c5ad117d5117e7ccc48885a917b17e

SHA1
211b3c1442d45d66ac864146d0f7c0b53ece99ad

SHA256
7f1c59f1c3cae6d8af8937d6d54e80813c4e767202126cbd406bf9fd16286a22

SHA512
2e3311d9d491cd0573a9c76cb3598e157b44016850c6ee43853eb5b5c37bc11488ef31e27b7f7312b2d64a09123a4d3a6995f4897512dad6dafa500518e1c9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA3A0.tmp
Filesize
652B

MD5
226c312e311c09e29193a14d31c2f94a

SHA1
d68f457d7fa99dd3326bf01a5b70f38341f2dd19

SHA256
8afd65e96159c9bc9ecd9365fa522b37fd8d01df58fb287d87ac9b397f92debf

SHA512
e1792a4bfffe7b9d88123b303bd61de9182cacdf8a988572b04ee6e2581db7d440c6da1cc75222b83f0ca1972d77b360848a14563bb4d21377dad0f703e92493

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA786.tmp
Filesize
652B

MD5
5725accc510408e342f88ba77120f353

SHA1
50294a68b1f2979ad5ddb319087d3e6d4bcf9646

SHA256
f4bebf64bfa85a04a30d30ca74a66c74222fb305e558132905f88e1d4c787df5

SHA512
3f2cff6f597c3edfaf9ca2d65073071b7c521224e048d1cd70ac8f3c971d1ce6f3aa56409032ebe4b03ec76b850684542d02d4aac098980292401df5aac70ff5

Download Submit
C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe:ZONE.identifier
Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
134B

MD5
410fd1b0ed3c1476b9711734e07d056a

SHA1
fcb214374b2248ca381c4c1606492fb0c1661740

SHA256
4a94fffcb546b61aa2e5ce0051c5c8a70cd3a678808809d17c63bd4c705753f0

SHA512
28ad56bb14e677c2e8d270fda31d4b62833fb8fb169462f9d7b9e1adc32e396f4ce66de282874c6fe2b8c1b2752e5c221428252566fed521950c2fd2ffd924b4

Download Submit
memory/112-59-0x0000000000000000-mapping.dmp

Download
memory/1140-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-97-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-98-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-91-0x00000000004B5720-mapping.dmp

Download
memory/1140-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-89-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-87-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-86-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1140-99-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1484-63-0x0000000000000000-mapping.dmp

Download
memory/1500-70-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-55-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1500-95-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-82-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download
memory/1980-71-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1980-84-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1980-72-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1980-74-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1980-76-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1980-77-0x0000000000401238-mapping.dmp

Download
memory/2032-66-0x0000000000000000-mapping.dmp

Download