darkcomet | 3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Size

728KB
MD5

f910ba6ba0a9de0c1f139c1199e89875
SHA1

e60e5ef468071cb34c645190710e87437bdf2794
SHA256

3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f
SHA512

55e8047d32be884d43b126fa23a2a000e44c75cc5639a3fa25cd18da40946d74a86ec49d6efe5d0424449c3aeb9de24d6e03513637c96f0672ea7e697530cad5
SSDEEP

12288:qgqCYAk9Fv6ifHjKqM3ZjU1jPeu+69EoHcboSpu56HH:qkk9FvSqAOwucbvp7

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Executes dropped EXE 2 IoCs

Processes:

winupdate.exewinupdate.exe

pid	Process
2476	winupdate.exe
2728	winupdate.exe

Loads dropped DLL 8 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exewinupdate.exe

pid	Process
3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2476	winupdate.exe
2476	winupdate.exe
2476	winupdate.exe
2476	winupdate.exe
2728	winupdate.exe
2728	winupdate.exe
2728	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process	procid_target
PID 2028 set thread context of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 3044 set thread context of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 2476 set thread context of 2728	2476	winupdate.exe	31

Drops file in Windows directory 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
File created	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winupdate.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSecurityPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRestorePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeShutdownPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeDebugPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeUndockPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 33	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 34	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 35	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2728	winupdate.exe
Token: SeSecurityPrivilege	2728	winupdate.exe
Token: SeTakeOwnershipPrivilege	2728	winupdate.exe
Token: SeLoadDriverPrivilege	2728	winupdate.exe
Token: SeSystemProfilePrivilege	2728	winupdate.exe
Token: SeSystemtimePrivilege	2728	winupdate.exe
Token: SeProfSingleProcessPrivilege	2728	winupdate.exe
Token: SeIncBasePriorityPrivilege	2728	winupdate.exe
Token: SeCreatePagefilePrivilege	2728	winupdate.exe
Token: SeBackupPrivilege	2728	winupdate.exe
Token: SeRestorePrivilege	2728	winupdate.exe
Token: SeShutdownPrivilege	2728	winupdate.exe
Token: SeDebugPrivilege	2728	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2728	winupdate.exe
Token: SeChangeNotifyPrivilege	2728	winupdate.exe
Token: SeRemoteShutdownPrivilege	2728	winupdate.exe
Token: SeUndockPrivilege	2728	winupdate.exe
Token: SeManageVolumePrivilege	2728	winupdate.exe
Token: SeImpersonatePrivilege	2728	winupdate.exe
Token: SeCreateGlobalPrivilege	2728	winupdate.exe
Token: 33	2728	winupdate.exe
Token: 34	2728	winupdate.exe
Token: 35	2728	winupdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exeexplorer.exewinupdate.exewinupdate.exe

pid	Process
2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2608	explorer.exe
2476	winupdate.exe
2728	winupdate.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	Process	procid_target
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	30
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31
PID 2476 wrote to memory of 2728	2476	winupdate.exe	31

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2608
- - C:\Windows\microsoft\winupdate.exe
    "C:\Windows\microsoft\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\microsoft\winupdate.exe
      C:\Windows\microsoft\winupdate.exe
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\microsoft\winupdate.exe

Filesize
728KB

MD5
f910ba6ba0a9de0c1f139c1199e89875

SHA1
e60e5ef468071cb34c645190710e87437bdf2794

SHA256
3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

SHA512
55e8047d32be884d43b126fa23a2a000e44c75cc5639a3fa25cd18da40946d74a86ec49d6efe5d0424449c3aeb9de24d6e03513637c96f0672ea7e697530cad5

Download Submit
memory/2608-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2608-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2608-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2608-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2728-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-83-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-89-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-87-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-85-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-81-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-79-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-73-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2728-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3044-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-6-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-2-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-24-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-22-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-21-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-20-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-19-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3044-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download