darkcomet | d2d6bdbdd2588906af1326e15acc95e6c57da1fefcc6f47e7afbc6afe26c5f43

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Size

355KB
MD5

6dc2283fb55cd0fde0341da8d56942d0
SHA1

dafbdd680d3ff148c6d92b242f9ad6cdea8ad820
SHA256

d2d6bdbdd2588906af1326e15acc95e6c57da1fefcc6f47e7afbc6afe26c5f43
SHA512

33e789b0e46d93933067acedbd40d391bbae0024070177631ce0e671772d1d31fd5a39b57edd271eac736d71269a451650003e008fedd9b4c2f24209ef9a797f
SSDEEP

6144:JFirrYQwFGDtvz1gk4vyl4/t0Sw0oamQzf5RQwRV5Rl6EqXqL1:4LhWk2tFVeaBzBWwRvR4+

Score

10^/10

darkcomet server discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Server

carbonfibers.myftp.biz:1657

Mutex

darksmoke

Attributes

InstallPath
winsrvc\svchost.exe
gencode
q0enFnK3Hmhu
install
true
offline_keylogger
true
persistence
true
reg_key
Services Host

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winsrvc\\svchost.exe"	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe

Executes dropped EXE 2 IoCs

pid	Process
456	svchost.exe
348	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\winsrvc\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\winsrvc\\svchost.exe"	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 456 set thread context of 348	456	svchost.exe	84

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3012-3-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-6-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-7-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-10-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-9-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-11-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3012-74-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-82-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-83-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-81-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-86-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-85-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-89-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-88-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-90-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-91-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-92-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-93-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-94-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-95-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-96-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-97-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-98-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-99-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-102-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-103-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-104-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/348-105-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
348	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeIncreaseQuotaPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeSecurityPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeTakeOwnershipPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeLoadDriverPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeSystemProfilePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeSystemtimePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeProfSingleProcessPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeIncBasePriorityPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeCreatePagefilePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeBackupPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeRestorePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeShutdownPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeDebugPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeSystemEnvironmentPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeChangeNotifyPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeRemoteShutdownPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeUndockPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeManageVolumePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeImpersonatePrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeCreateGlobalPrivilege	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: 33	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: 34	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: 35	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: 36	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeIncreaseQuotaPrivilege	348	svchost.exe
Token: SeSecurityPrivilege	348	svchost.exe
Token: SeTakeOwnershipPrivilege	348	svchost.exe
Token: SeLoadDriverPrivilege	348	svchost.exe
Token: SeSystemProfilePrivilege	348	svchost.exe
Token: SeSystemtimePrivilege	348	svchost.exe
Token: SeProfSingleProcessPrivilege	348	svchost.exe
Token: SeIncBasePriorityPrivilege	348	svchost.exe
Token: SeCreatePagefilePrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeRestorePrivilege	348	svchost.exe
Token: SeShutdownPrivilege	348	svchost.exe
Token: SeDebugPrivilege	348	svchost.exe
Token: SeSystemEnvironmentPrivilege	348	svchost.exe
Token: SeChangeNotifyPrivilege	348	svchost.exe
Token: SeRemoteShutdownPrivilege	348	svchost.exe
Token: SeUndockPrivilege	348	svchost.exe
Token: SeManageVolumePrivilege	348	svchost.exe
Token: SeImpersonatePrivilege	348	svchost.exe
Token: SeCreateGlobalPrivilege	348	svchost.exe
Token: 33	348	svchost.exe
Token: 34	348	svchost.exe
Token: 35	348	svchost.exe
Token: 36	348	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
348	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 2588 wrote to memory of 3012	2588	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	82
PID 3012 wrote to memory of 456	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	83
PID 3012 wrote to memory of 456	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	83
PID 3012 wrote to memory of 456	3012	JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe	83
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 456 wrote to memory of 348	456	svchost.exe	84
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85
PID 348 wrote to memory of 320	348	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0.exe
  JaffaCakes118_6dc2283fb55cd0fde0341da8d56942d0
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\winsrvc\svchost.exe
    "C:\Users\Admin\AppData\Roaming\winsrvc\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Roaming\winsrvc\svchost.exe
      svchost
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winsrvc\svchost.exe

Filesize
355KB

MD5
6dc2283fb55cd0fde0341da8d56942d0

SHA1
dafbdd680d3ff148c6d92b242f9ad6cdea8ad820

SHA256
d2d6bdbdd2588906af1326e15acc95e6c57da1fefcc6f47e7afbc6afe26c5f43

SHA512
33e789b0e46d93933067acedbd40d391bbae0024070177631ce0e671772d1d31fd5a39b57edd271eac736d71269a451650003e008fedd9b4c2f24209ef9a797f

Download Submit
memory/320-87-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/348-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-97-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-89-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-88-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-102-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-99-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-96-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-82-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-95-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-81-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-86-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-85-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-93-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-90-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-92-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/348-91-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/456-84-0x0000000072500000-0x0000000072AB1000-memory.dmp

Filesize
5.7MB

Download
memory/456-75-0x0000000072502000-0x0000000072503000-memory.dmp

Filesize
4KB

Download
memory/456-76-0x0000000072500000-0x0000000072AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2588-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2588-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2588-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/2588-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3012-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-3-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3012-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download