gh0strat | 761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070

Analysis

max time kernel
205s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
Size

3.5MB
MD5

04739b0c3b70e34004805b9289244b17
SHA1

5133ab6e9486e7b96a4255c51578ded9a55117ff
SHA256

761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070
SHA512

8e92060be5c91c396e207fe259c75e9de73f1b4f0504598d5eb3ce430f9eeda247f6546cc6277d2424a0308f7662ef373f16d8c905a3e61f5e4fa4683c661ace
SSDEEP

98304:aiITUOqj12LQMdGtT55jk+qnthEULLEfXs:aiIQOqj63dG5jk+qt5d

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e6f-152.dat	family_gh0strat
behavioral2/files/0x0006000000022e6f-153.dat	family_gh0strat
behavioral2/files/0x0006000000022e6f-154.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 4 IoCs

pid	Process
4460	»ØÒäºÏ»÷.exe
884	»ØÒäºÏ»÷380uc.Com.exe
876	2.exe
5008	ixlfcsgtgt

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e47-138.dat	upx
behavioral2/files/0x0008000000022e47-137.dat	upx
behavioral2/memory/884-145-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/884-147-0x0000000000400000-0x0000000000D06000-memory.dmp	upx
behavioral2/memory/884-151-0x0000000000400000-0x0000000000D06000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	»ØÒäºÏ»÷.exe

Loads dropped DLL 2 IoCs

pid	Process
1508	svchost.exe
4324	svchost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\H:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\M:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\O:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\P:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\R:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\S:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\F:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\W:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\V:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\K:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Z:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\B:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\L:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\N:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Q:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\U:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\Y:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\A:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\I:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\J:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\T:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\X:	»ØÒäºÏ»÷380uc.Com.exe
File opened (read-only)	\??\E:	»ØÒäºÏ»÷380uc.Com.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jaxpyochdl	svchost.exe
File created	C:\Windows\SysWOW64\jqbcpuhddb	svchost.exe
File created	C:\Windows\SysWOW64\jidofbmydr	svchost.exe
File created	C:\Windows\SysWOW64\jpxrkweiqj	svchost.exe
File created	C:\Windows\SysWOW64\kvhqkeypgu	svchost.exe
File created	C:\Windows\SysWOW64\jvtlidppmj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jrkwqlakpp	svchost.exe
File created	C:\Windows\SysWOW64\jaxpyochdl	svchost.exe
File created	C:\Windows\SysWOW64\jimjhrffpg	svchost.exe
File created	C:\Windows\SysWOW64\kddupapatm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\jmdivcjwmw	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	\??\c:\PROGRA~3\APPLIC~1\storm\update\%SESSI~1\ldqiw.cc3	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2392	4324	WerFault.exe	96
1212	1508	WerFault.exe	92

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	»ØÒäºÏ»÷380uc.Com.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	»ØÒäºÏ»÷380uc.Com.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	ixlfcsgtgt
5008	ixlfcsgtgt

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeRestorePrivilege	5008	ixlfcsgtgt
Token: SeBackupPrivilege	5008	ixlfcsgtgt
Token: SeBackupPrivilege	5008	ixlfcsgtgt
Token: SeRestorePrivilege	5008	ixlfcsgtgt
Token: SeRestorePrivilege	5008	ixlfcsgtgt
Token: SeBackupPrivilege	5008	ixlfcsgtgt
Token: SeBackupPrivilege	5008	ixlfcsgtgt
Token: SeRestorePrivilege	5008	ixlfcsgtgt
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeRestorePrivilege	4324	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeSecurityPrivilege	4324	svchost.exe
Token: SeSecurityPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeSecurityPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeSecurityPrivilege	1508	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeSecurityPrivilege	4324	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	4324	svchost.exe
Token: SeRestorePrivilege	4324	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe
Token: SeBackupPrivilege	1508	svchost.exe
Token: SeRestorePrivilege	1508	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
884	»ØÒäºÏ»÷380uc.Com.exe
884	»ØÒäºÏ»÷380uc.Com.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4460	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	85
PID 4208 wrote to memory of 4460	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	85
PID 4208 wrote to memory of 4460	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	85
PID 4208 wrote to memory of 884	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	86
PID 4208 wrote to memory of 884	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	86
PID 4208 wrote to memory of 884	4208	761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe	86
PID 4460 wrote to memory of 876	4460	»ØÒäºÏ»÷.exe	87
PID 4460 wrote to memory of 876	4460	»ØÒäºÏ»÷.exe	87
PID 4460 wrote to memory of 876	4460	»ØÒäºÏ»÷.exe	87
PID 4460 wrote to memory of 2052	4460	»ØÒäºÏ»÷.exe	88
PID 4460 wrote to memory of 2052	4460	»ØÒäºÏ»÷.exe	88
PID 4460 wrote to memory of 2052	4460	»ØÒäºÏ»÷.exe	88
PID 876 wrote to memory of 5008	876	2.exe	90
PID 876 wrote to memory of 5008	876	2.exe	90
PID 876 wrote to memory of 5008	876	2.exe	90

C:\Users\Admin\AppData\Local\Temp\761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe
"C:\Users\Admin\AppData\Local\Temp\761027e0093c6ae00d955599bb66f9d5c25a21962009ebb7637b4b5fe43bf070.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe
  "C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:876
  - - \??\c:\users\admin\appdata\local\ixlfcsgtgt
      "C:\Users\Admin\AppData\Local\Temp\2.exe" a -sc:\users\admin\appdata\local\temp\2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ope5B7F.bat" "" "C:\Users\Admin\AppData\Local\Temp" "»ØÒäºÏ»÷.exe""
    3⤵
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe
  "C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1056
  2⤵
  - Program crash
  PID:1212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1112
  2⤵
  - Program crash
  PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4324 -ip 4324
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1508 -ip 1508
1⤵
PID:4020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\ldqiw.cc3

Filesize
22.1MB

MD5
cbff9f741665aa802a3f3d74634b6c03

SHA1
76484768a7148dc4d1a4c3ccc6c8eca0eff0e846

SHA256
9052116175f7c44bcd706343278454654b979b5ad8d244e5b252b7425eb3ff0f

SHA512
1005b461cbe4bca6cc302bde78ae8d5fd052f0260d0763821bb3a4bfdd248d65f8eaa5aea58d53e4386f4c53bc42f75dc17c3eaee5687c55317326401497d4fe

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\ldqiw.cc3

Filesize
22.1MB

MD5
cbff9f741665aa802a3f3d74634b6c03

SHA1
76484768a7148dc4d1a4c3ccc6c8eca0eff0e846

SHA256
9052116175f7c44bcd706343278454654b979b5ad8d244e5b252b7425eb3ff0f

SHA512
1005b461cbe4bca6cc302bde78ae8d5fd052f0260d0763821bb3a4bfdd248d65f8eaa5aea58d53e4386f4c53bc42f75dc17c3eaee5687c55317326401497d4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
196KB

MD5
fe32f45152fcc3f6f8ce48730a1b483e

SHA1
5bebcd5903735345f0dd32559cc2c5ae71e93f97

SHA256
406264222162237ea0c6886b6b8c36fd79b6ba41e15fb1f040a1c38cc62fad42

SHA512
5e807179db0ccd9a129389b95f65867f8a8189b1a18bf96d85cc4e9df4bf1bb11925d0fc95141cfe7b0c8cfe490ac77558f849216c95e4524cb74e30c7cdf525

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope5B7F.bat

Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷.exe

Filesize
97KB

MD5
dc1f5eb6f9b7441934ee1ad83409c2ba

SHA1
4718c507e9130ea1c50f7e27cd064844acc6d0c6

SHA256
9852bc6670fa9dd2d803dcbb02d781c76337dd6b048c3e6a58d5e6a8775fa90c

SHA512
5d9a63b03c2a34794ba8b1c10faaa7a2f5afad64007c3062887e806b7686d8242b9842e78eed48bc41abea638a4a5e836d5d94b164cf664b9366cbb45e577f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
C:\Users\Admin\AppData\Local\Temp\»ØÒäºÏ»÷380uc.Com.exe

Filesize
3.2MB

MD5
b9d00588e709536cbb117e3db5c81b81

SHA1
8809c2a2d97af12e8c0a700ed4129e6b9d5b3b19

SHA256
0f2608cc8b6fa2143424cec9cfe12d6ff1bc41317fdd92f5c8ef3b77f81d4ace

SHA512
a45bb2ff04ae8c81a31308a8baa3800a796e4abe9a6489ab952b7807dcfb40fdd89a6f15500724122726e1b86defb05fe27408198d5553edc83cbf43d48e443b

Download Submit
C:\Users\Admin\AppData\Local\ixlfcsgtgt

Filesize
24.1MB

MD5
665a2378b96fc8178e0d1aa59c2a153e

SHA1
0856db6606ec0066fa78c74d6334525eb673bfe2

SHA256
bfbdaaa96b1b4c479f1efa7190337c8a8b2c6555b737042cfb76eb081f9c0318

SHA512
485996c850dd0e6d2cfe6e0388ecaed90e5efdbb9c75912ff64303057edb81949513bd4545399d908099cb1cb894923ab0e1276b1845e7fd482c0a0a2a2eada2

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\ldqiw.cc3

Filesize
22.1MB

MD5
cbff9f741665aa802a3f3d74634b6c03

SHA1
76484768a7148dc4d1a4c3ccc6c8eca0eff0e846

SHA256
9052116175f7c44bcd706343278454654b979b5ad8d244e5b252b7425eb3ff0f

SHA512
1005b461cbe4bca6cc302bde78ae8d5fd052f0260d0763821bb3a4bfdd248d65f8eaa5aea58d53e4386f4c53bc42f75dc17c3eaee5687c55317326401497d4fe

Download Submit
\??\c:\users\admin\appdata\local\ixlfcsgtgt

Filesize
24.1MB

MD5
665a2378b96fc8178e0d1aa59c2a153e

SHA1
0856db6606ec0066fa78c74d6334525eb673bfe2

SHA256
bfbdaaa96b1b4c479f1efa7190337c8a8b2c6555b737042cfb76eb081f9c0318

SHA512
485996c850dd0e6d2cfe6e0388ecaed90e5efdbb9c75912ff64303057edb81949513bd4545399d908099cb1cb894923ab0e1276b1845e7fd482c0a0a2a2eada2

Download Submit
memory/876-140-0x0000000000000000-mapping.dmp

Download
memory/884-145-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/884-147-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/884-151-0x0000000000400000-0x0000000000D06000-memory.dmp

Filesize
9.0MB

Download
memory/884-136-0x0000000000000000-mapping.dmp

Download
memory/2052-143-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000400000-0x000000000078DD46-memory.dmp

Filesize
3.6MB

Download
memory/4208-139-0x0000000000400000-0x000000000078DD46-memory.dmp

Filesize
3.6MB

Download
memory/4460-144-0x0000000000400000-0x0000000000419FAC-memory.dmp

Filesize
103KB

Download
memory/4460-133-0x0000000000000000-mapping.dmp

Download
memory/5008-148-0x0000000000000000-mapping.dmp

Download