darkcomet | d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe
Size

723KB
MD5

99bbae87448fa2afbe14f94c8c4d6c35
SHA1

711df984d7b34528783726288bc40c412c2e96f2
SHA256

d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630
SHA512

2d8b67a9f4ecb2a82965901441a784557602e0005be5dfd3c022e135a3dee677f61f48f1301dd7111f4a54905854d81f4e2afec886e32b611fe742c26cd2832c
SSDEEP

12288:1RZ+IoG/n9IQxW3OBsemwxbFzSq0JmNxJWK/sd5JazbuOg4mCOiu8pMbBi:92G/nvxW3WbNZvLQIzbu58Ojbdi

Score

10^/10

darkcomet sazan persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

0.tcp.ngrok.io:19553

Mutex

DC_MUTEX-LQR29VS

Attributes

InstallPath
MSDCSC\WindowsUpdater.exe
gencode
90gqTdCABW5t
install
true
offline_keylogger
true
persistence
true
reg_key
WindowsUpdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Spoofer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe"	Spoofer.exe

Executes dropped EXE 3 IoCs

Processes:

Spoofer1.exeSpoofer.exeWindowsUpdater.exe

pid process

1488 Spoofer1.exe
1464 Spoofer.exe
1728 WindowsUpdater.exe

pid	process
1488	Spoofer1.exe
1464	Spoofer.exe
1728	WindowsUpdater.exe

Loads dropped DLL 10 IoCs

Processes:

cmd.exeSpoofer1.exeSpoofer.exeWindowsUpdater.exe

pid	process
676	cmd.exe
1488	Spoofer1.exe
1488	Spoofer1.exe
1488	Spoofer1.exe
1488	Spoofer1.exe
1488	Spoofer1.exe
1464	Spoofer.exe
1728	WindowsUpdater.exe
1728	WindowsUpdater.exe
1728	WindowsUpdater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Spoofer.exeWindowsUpdater.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe"	Spoofer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe"	WindowsUpdater.exe

Drops file in System32 directory 3 IoCs

Processes:

Spoofer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	Spoofer.exe
File created	C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe	Spoofer.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe	Spoofer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Spoofer.exeWindowsUpdater.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1464	Spoofer.exe
Token: SeSecurityPrivilege	1464	Spoofer.exe
Token: SeTakeOwnershipPrivilege	1464	Spoofer.exe
Token: SeLoadDriverPrivilege	1464	Spoofer.exe
Token: SeSystemProfilePrivilege	1464	Spoofer.exe
Token: SeSystemtimePrivilege	1464	Spoofer.exe
Token: SeProfSingleProcessPrivilege	1464	Spoofer.exe
Token: SeIncBasePriorityPrivilege	1464	Spoofer.exe
Token: SeCreatePagefilePrivilege	1464	Spoofer.exe
Token: SeBackupPrivilege	1464	Spoofer.exe
Token: SeRestorePrivilege	1464	Spoofer.exe
Token: SeShutdownPrivilege	1464	Spoofer.exe
Token: SeDebugPrivilege	1464	Spoofer.exe
Token: SeSystemEnvironmentPrivilege	1464	Spoofer.exe
Token: SeChangeNotifyPrivilege	1464	Spoofer.exe
Token: SeRemoteShutdownPrivilege	1464	Spoofer.exe
Token: SeUndockPrivilege	1464	Spoofer.exe
Token: SeManageVolumePrivilege	1464	Spoofer.exe
Token: SeImpersonatePrivilege	1464	Spoofer.exe
Token: SeCreateGlobalPrivilege	1464	Spoofer.exe
Token: 33	1464	Spoofer.exe
Token: 34	1464	Spoofer.exe
Token: 35	1464	Spoofer.exe
Token: SeIncreaseQuotaPrivilege	1728	WindowsUpdater.exe
Token: SeSecurityPrivilege	1728	WindowsUpdater.exe
Token: SeTakeOwnershipPrivilege	1728	WindowsUpdater.exe
Token: SeLoadDriverPrivilege	1728	WindowsUpdater.exe
Token: SeSystemProfilePrivilege	1728	WindowsUpdater.exe
Token: SeSystemtimePrivilege	1728	WindowsUpdater.exe
Token: SeProfSingleProcessPrivilege	1728	WindowsUpdater.exe
Token: SeIncBasePriorityPrivilege	1728	WindowsUpdater.exe
Token: SeCreatePagefilePrivilege	1728	WindowsUpdater.exe
Token: SeBackupPrivilege	1728	WindowsUpdater.exe
Token: SeRestorePrivilege	1728	WindowsUpdater.exe
Token: SeShutdownPrivilege	1728	WindowsUpdater.exe
Token: SeDebugPrivilege	1728	WindowsUpdater.exe
Token: SeSystemEnvironmentPrivilege	1728	WindowsUpdater.exe
Token: SeChangeNotifyPrivilege	1728	WindowsUpdater.exe
Token: SeRemoteShutdownPrivilege	1728	WindowsUpdater.exe
Token: SeUndockPrivilege	1728	WindowsUpdater.exe
Token: SeManageVolumePrivilege	1728	WindowsUpdater.exe
Token: SeImpersonatePrivilege	1728	WindowsUpdater.exe
Token: SeCreateGlobalPrivilege	1728	WindowsUpdater.exe
Token: 33	1728	WindowsUpdater.exe
Token: 34	1728	WindowsUpdater.exe
Token: 35	1728	WindowsUpdater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WindowsUpdater.exe

pid process

1728 WindowsUpdater.exe

pid	process
1728	WindowsUpdater.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.execmd.exeSpoofer1.exeSpoofer.exeWindowsUpdater.exe

description	pid	process	target process
PID 1388 wrote to memory of 676	1388	d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe	cmd.exe
PID 1388 wrote to memory of 676	1388	d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe	cmd.exe
PID 1388 wrote to memory of 676	1388	d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe	cmd.exe
PID 1388 wrote to memory of 676	1388	d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe	cmd.exe
PID 676 wrote to memory of 1488	676	cmd.exe	Spoofer1.exe
PID 676 wrote to memory of 1488	676	cmd.exe	Spoofer1.exe
PID 676 wrote to memory of 1488	676	cmd.exe	Spoofer1.exe
PID 676 wrote to memory of 1488	676	cmd.exe	Spoofer1.exe
PID 1488 wrote to memory of 1464	1488	Spoofer1.exe	Spoofer.exe
PID 1488 wrote to memory of 1464	1488	Spoofer1.exe	Spoofer.exe
PID 1488 wrote to memory of 1464	1488	Spoofer1.exe	Spoofer.exe
PID 1488 wrote to memory of 1464	1488	Spoofer1.exe	Spoofer.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1464 wrote to memory of 1728	1464	Spoofer.exe	WindowsUpdater.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 744	1728	WindowsUpdater.exe	iexplore.exe
PID 1728 wrote to memory of 944	1728	WindowsUpdater.exe	explorer.exe
PID 1728 wrote to memory of 944	1728	WindowsUpdater.exe	explorer.exe
PID 1728 wrote to memory of 944	1728	WindowsUpdater.exe	explorer.exe
PID 1728 wrote to memory of 944	1728	WindowsUpdater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe
"C:\Users\Admin\AppData\Local\Temp\d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer2.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exe
Spoofer1.exe -ptest -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
"C:\Windows\system32\MSDCSC\WindowsUpdater.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:744

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exe
Filesize
594KB

MD5
72b0278cdf387b4a6f9d88cb49c300bd

SHA1
9f8fc1ef81acabfcced71c2ef4cc939a9f661d4c

SHA256
719757595e34756ec7921f18616705329d89decf0abac12c62008f26bbe1e314

SHA512
507db098dbb387bb35a37c3378f20856c132efb447f248159aac2b763fe46a32824242c991063cd9fa1c1b09c0a2a67d4e411954b6a907343d713189f1a50050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exe
Filesize
594KB

MD5
72b0278cdf387b4a6f9d88cb49c300bd

SHA1
9f8fc1ef81acabfcced71c2ef4cc939a9f661d4c

SHA256
719757595e34756ec7921f18616705329d89decf0abac12c62008f26bbe1e314

SHA512
507db098dbb387bb35a37c3378f20856c132efb447f248159aac2b763fe46a32824242c991063cd9fa1c1b09c0a2a67d4e411954b6a907343d713189f1a50050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer2.bat
Filesize
28B

MD5
ae3a7b2a8b2e73eb2924f8e32953c097

SHA1
d8e0f10d1700dfd048e70bd4ef22952033c0a17a

SHA256
da3b56eec658808aaacdf2917280ac656fafaf746510d58917c97181c08dc1c0

SHA512
fd58d2c8d876079814aab198d30508332eb4427dd0f084a8686669bf86e71ad4b30968dbfbcf3b65cef56a467561cac56254fd3c7e86490103c96810f8121499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exe
Filesize
594KB

MD5
72b0278cdf387b4a6f9d88cb49c300bd

SHA1
9f8fc1ef81acabfcced71c2ef4cc939a9f661d4c

SHA256
719757595e34756ec7921f18616705329d89decf0abac12c62008f26bbe1e314

SHA512
507db098dbb387bb35a37c3378f20856c132efb447f248159aac2b763fe46a32824242c991063cd9fa1c1b09c0a2a67d4e411954b6a907343d713189f1a50050

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe
Filesize
690KB

MD5
08ad2de1afdb29ff6341b747c2c6ee69

SHA1
5f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24

SHA256
cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770

SHA512
a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6

Download Submit
memory/676-55-0x0000000000000000-mapping.dmp

Download
memory/1388-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1464-67-0x0000000000000000-mapping.dmp

Download
memory/1488-59-0x0000000000000000-mapping.dmp

Download
memory/1728-72-0x0000000000000000-mapping.dmp

Download