darkcomet | f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
Size

1.3MB
MD5

5e412597778f7df65155685a8bdcd4be
SHA1

1086c375c09c07486f0542c679a74d61dd943594
SHA256

f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2
SHA512

579bb3cea0b8daa74b9221191d4ad484f92379f01f8298d055fb50e3ae0a58e15847b6933ab6d6960564ebd0625d680ca31b7d74e2a233d7b43ae9e9de1438da
SSDEEP

24576:vFAABG9aJp25/4ddZMAsiIMXNI+RVN64AzFfoC9kAblzH2JCYkkX5zA:ZaaJpo/yZN6MXN9/NrAZgM2JlFA

Score

10^/10

darkcomet latentbot sks persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

SKS

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
lwRB5npjTSK8
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

essstzttztz.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 2 IoCs

pid	Process
2856	WLIDSCV.exe
2432	flashmk.exe

Loads dropped DLL 4 IoCs

pid	Process
2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-51-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-61-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-58-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-57-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-56-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-62-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-63-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-64-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-65-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-66-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-68-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-69-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-70-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-71-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-72-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-73-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-74-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2664-75-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiops = "C:\\Users\\Admin\\AppData\\Roaming\\flashmk.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2432 set thread context of 2664	2432	flashmk.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\flashmk.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe
2432	flashmk.exe
2856	WLIDSCV.exe
2856	WLIDSCV.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	WLIDSCV.exe
Token: SeDebugPrivilege	2432	flashmk.exe
Token: SeIncreaseQuotaPrivilege	2664	vbc.exe
Token: SeSecurityPrivilege	2664	vbc.exe
Token: SeTakeOwnershipPrivilege	2664	vbc.exe
Token: SeLoadDriverPrivilege	2664	vbc.exe
Token: SeSystemProfilePrivilege	2664	vbc.exe
Token: SeSystemtimePrivilege	2664	vbc.exe
Token: SeProfSingleProcessPrivilege	2664	vbc.exe
Token: SeIncBasePriorityPrivilege	2664	vbc.exe
Token: SeCreatePagefilePrivilege	2664	vbc.exe
Token: SeBackupPrivilege	2664	vbc.exe
Token: SeRestorePrivilege	2664	vbc.exe
Token: SeShutdownPrivilege	2664	vbc.exe
Token: SeDebugPrivilege	2664	vbc.exe
Token: SeSystemEnvironmentPrivilege	2664	vbc.exe
Token: SeChangeNotifyPrivilege	2664	vbc.exe
Token: SeRemoteShutdownPrivilege	2664	vbc.exe
Token: SeUndockPrivilege	2664	vbc.exe
Token: SeManageVolumePrivilege	2664	vbc.exe
Token: SeImpersonatePrivilege	2664	vbc.exe
Token: SeCreateGlobalPrivilege	2664	vbc.exe
Token: 33	2664	vbc.exe
Token: 34	2664	vbc.exe
Token: 35	2664	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	vbc.exe
2664	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2536	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2380	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2380	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2380	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2380	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2696	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	33
PID 2996 wrote to memory of 2696	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	33
PID 2996 wrote to memory of 2696	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	33
PID 2996 wrote to memory of 2696	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2508	2696	vbc.exe	35
PID 2696 wrote to memory of 2508	2696	vbc.exe	35
PID 2696 wrote to memory of 2508	2696	vbc.exe	35
PID 2696 wrote to memory of 2508	2696	vbc.exe	35
PID 2996 wrote to memory of 2856	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	36
PID 2996 wrote to memory of 2856	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	36
PID 2996 wrote to memory of 2856	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	36
PID 2996 wrote to memory of 2856	2996	5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe	36
PID 2856 wrote to memory of 2432	2856	WLIDSCV.exe	37
PID 2856 wrote to memory of 2432	2856	WLIDSCV.exe	37
PID 2856 wrote to memory of 2432	2856	WLIDSCV.exe	37
PID 2856 wrote to memory of 2432	2856	WLIDSCV.exe	37
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38
PID 2432 wrote to memory of 2664	2432	flashmk.exe	38

C:\Users\Admin\AppData\Local\Temp\5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e412597778f7df65155685a8bdcd4be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - NTFS ADS
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hf2il7uv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6A9.tmp"
    3⤵
    PID:2508
- C:\Users\Admin\AppData\Roaming\WLIDSCV.exe
  "C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\flashmk.exe
    "C:\Users\Admin\AppData\Roaming\flashmk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6AA.tmp

Filesize
1KB

MD5
6ed0edf5060e8a03cc7f7774f45530d9

SHA1
adad4c568218f0f51574ae358e9c7601d5f014da

SHA256
614170df1b97a8d8ceba3c85ac02a03e0991651e850cc40a3ea312072d3e74c4

SHA512
b08c784934a9db3512825c1a4425aa4691425bbeb888240df11241fee356fc35a659215dc38c13c91cfea04638d32a5f1bb2ee289707971333398233c67d2c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf2il7uv.0.vb

Filesize
1KB

MD5
2495f282d9843448e187592dda4bcf4f

SHA1
a8b6a96aa278dd58d6c50280c2294b9a85d3269a

SHA256
712952f1122fba1bbc1e90f094a7bca3dba7ee975f67521a022e709c71830fe8

SHA512
9f361c818dcbba5be12cce22af8244951ce466f5b22b9e7f7e2ee0a691d68b3722994486f87130de8dc3d45c5be606d1550f8b6b806c6c5ed1b3e9b136fe8eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hf2il7uv.cmdline

Filesize
248B

MD5
eb4b7c92d3b5ac74f45e598595be6458

SHA1
b83cf0e96a1af482b5d83e271b31c717bf213734

SHA256
38ced08b1ba4809f17af68e18df66c07c9330f4699207d1ce7b546c5cf2bd076

SHA512
08b60de5530747dd3f33c07d6f51ddd2966f4caf0793edbd80bf0236a1c9322e05f7b0443435be5fd48dd9a4d7761bd8cce216e0b3c24d8096f8387a22504d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC6A9.tmp

Filesize
644B

MD5
070d19a29fd713891607e27d97ead816

SHA1
e42cf75eb53e89ce253dea01274f383bc498cb3b

SHA256
1ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e

SHA512
65a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef

Download Submit
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe

Filesize
7KB

MD5
2c69d8e1a1d1d42754648c0e5afa3d16

SHA1
c886f0103e1ab4a6abc759d85904b218cdeeb838

SHA256
df6caba150c3618123ea4ec94bdb4a5dcf70abcbc95dde54e81a10b642d09140

SHA512
ed4c4a256e4519ed420200071d1368db51ec68f6e1bded9a5c16e34fb879e450a15131506a99cdec20886bf41a3120e023ac21f89638eb68ac32381e7c4300ac

Download Submit
C:\Users\Admin\AppData\Roaming\flashmk.exe

Filesize
1.3MB

MD5
5e412597778f7df65155685a8bdcd4be

SHA1
1086c375c09c07486f0542c679a74d61dd943594

SHA256
f805abca58f0933dc66b09f7b9886394a92d481343df2851415f673b2b7ca0f2

SHA512
579bb3cea0b8daa74b9221191d4ad484f92379f01f8298d055fb50e3ae0a58e15847b6933ab6d6960564ebd0625d680ca31b7d74e2a233d7b43ae9e9de1438da

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
102B

MD5
5e173d5661f1703abc3260e4c324026b

SHA1
6faee2710344fe5afbfa4d307b70a33ab234503b

SHA256
d111a7bfe9d17c72ef5db3cf1aabd6ce25f226a0a0b5ee023ae8d286c7f21f14

SHA512
a8715d0a55396163f8119d1dd463b5aa7f61dbe414ffef9fb10ca2d938e762f26217a7f63865232f505ade67b60dbae3e9e8d83b1afa484a0c55f027744b5a6c

Download Submit
memory/2536-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-20-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2536-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2536-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2664-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-75-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-73-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-58-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-63-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2664-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2696-29-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2696-38-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2996-0-0x0000000074AE1000-0x0000000074AE2000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-44-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download