darkcomet | e03354e8c2cb5ae108a2806ecffe8758eb91830884b810c16e7f743e53ce238d

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Size

322KB
MD5

974cac47e7b631754c9184e8bc84905f
SHA1

da80a570cf19a35babb40226d1e3907251f6b286
SHA256

e03354e8c2cb5ae108a2806ecffe8758eb91830884b810c16e7f743e53ce238d
SHA512

5fe9df9504c0c4bc413b8372c33c11886a54a767cc2c1cb49cbacb38492782bab83e6b3aacda311b207ab7ad851e43f379c8b8898a32eccae9482f650849f88e
SSDEEP

6144:51TFYFW3qr6mdDe377FTJEC1h0EaS8Md10cphn6E3grMJencJxoz6wGlLi:5U6qzRy77FlEC12Enj3Q3cW6/l

Score

10^/10

darkcomet normal discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Normal

carbonfibers.myftp.biz:1656

carbonfibers.linkpc.net:1656

Mutex

DC_MUTEX-5GX4X3J

Attributes

InstallPath
System Services\svchost.exe
gencode
ocw5E1nj2p5Z
install
true
offline_keylogger
true
password
92496
persistence
true
reg_key
System Services Host

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\System Services\\svchost.exe"	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1124	attrib.exe
2992	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	svchost.exe
580	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\System Services\\svchost.exe"	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\System Services\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2840 set thread context of 580	2840	svchost.exe	39

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-11-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-12-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-7-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-5-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-15-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-18-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-16-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-14-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-17-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2792-33-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-44-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-45-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-47-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-46-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/580-90-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
580	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeBackupPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeRestorePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeShutdownPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeUndockPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: 33	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: 34	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: 35	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	svchost.exe
Token: SeIncreaseQuotaPrivilege	580	svchost.exe
Token: SeSecurityPrivilege	580	svchost.exe
Token: SeTakeOwnershipPrivilege	580	svchost.exe
Token: SeLoadDriverPrivilege	580	svchost.exe
Token: SeSystemProfilePrivilege	580	svchost.exe
Token: SeSystemtimePrivilege	580	svchost.exe
Token: SeProfSingleProcessPrivilege	580	svchost.exe
Token: SeIncBasePriorityPrivilege	580	svchost.exe
Token: SeCreatePagefilePrivilege	580	svchost.exe
Token: SeBackupPrivilege	580	svchost.exe
Token: SeRestorePrivilege	580	svchost.exe
Token: SeShutdownPrivilege	580	svchost.exe
Token: SeDebugPrivilege	580	svchost.exe
Token: SeSystemEnvironmentPrivilege	580	svchost.exe
Token: SeChangeNotifyPrivilege	580	svchost.exe
Token: SeRemoteShutdownPrivilege	580	svchost.exe
Token: SeUndockPrivilege	580	svchost.exe
Token: SeManageVolumePrivilege	580	svchost.exe
Token: SeImpersonatePrivilege	580	svchost.exe
Token: SeCreateGlobalPrivilege	580	svchost.exe
Token: 33	580	svchost.exe
Token: 34	580	svchost.exe
Token: 35	580	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
580	svchost.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2792	2704	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2692	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2692	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2692	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2692	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2604	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2604	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2604	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2604	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	34
PID 2692 wrote to memory of 1124	2692	cmd.exe	36
PID 2692 wrote to memory of 1124	2692	cmd.exe	36
PID 2692 wrote to memory of 1124	2692	cmd.exe	36
PID 2692 wrote to memory of 1124	2692	cmd.exe	36
PID 2604 wrote to memory of 2992	2604	cmd.exe	37
PID 2604 wrote to memory of 2992	2604	cmd.exe	37
PID 2604 wrote to memory of 2992	2604	cmd.exe	37
PID 2604 wrote to memory of 2992	2604	cmd.exe	37
PID 2792 wrote to memory of 2840	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2840	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2840	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2840	2792	974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe	38
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 2840 wrote to memory of 580	2840	svchost.exe	39
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40
PID 580 wrote to memory of 1284	580	svchost.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1124	attrib.exe
2992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe
  974cac47e7b631754c9184e8bc84905f_JaffaCakes118
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\974cac47e7b631754c9184e8bc84905f_JaffaCakes118.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2992
- - C:\Users\Admin\AppData\Roaming\System Services\svchost.exe
    "C:\Users\Admin\AppData\Roaming\System Services\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Roaming\System Services\svchost.exe
      svchost
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\System Services\svchost.exe

Filesize
322KB

MD5
974cac47e7b631754c9184e8bc84905f

SHA1
da80a570cf19a35babb40226d1e3907251f6b286

SHA256
e03354e8c2cb5ae108a2806ecffe8758eb91830884b810c16e7f743e53ce238d

SHA512
5fe9df9504c0c4bc413b8372c33c11886a54a767cc2c1cb49cbacb38492782bab83e6b3aacda311b207ab7ad851e43f379c8b8898a32eccae9482f650849f88e

Download Submit
memory/580-90-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1284-48-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2704-19-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

Filesize
4KB

Download
memory/2704-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-5-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-14-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-17-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-3-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2792-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download