gh0strat | 37fc9403c356982e20122b5ba7c9c79d638cb96e5a730999d51ebf5e990f1de1

Analysis

max time kernel
299s
max time network
297s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

电子发票.exe
Size

802KB
MD5

edfbb83534100f3860a535f2d0e426c3
SHA1

42d2de7ec349ff289b34103f4b88f2121058ff5c
SHA256

df1c27d04216f9a99654d95347f8c20bc23cc88dc71ff895f0505f0ce9c776cb
SHA512

0f95ecaabfa0f83fa4509ea72efafd59b6c35e20e9169cfd11de1e580ba6914782e7ad339d15875bbff870ff38133cc633d223b7cbd976ac7b258c5a084bb91a
SSDEEP

24576:Sny/f9uCYXP25JiBvuXwKhbBh4iv/IVVWX7PPR0gthPW1:XFmIJSmgaVhvv/IVKrPy

Score

10^/10

gh0strat purplefox aspackv2 rat rootkit trojan

Malware Config

Extracted

Family

gh0strat

103.127.83.61

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/340-124-0x0000000010000000-0x0000000010192000-memory.dmp	purplefox_rootkit
behavioral1/memory/340-127-0x0000000000400000-0x000000000060E000-memory.dmp	purplefox_rootkit
behavioral1/memory/340-137-0x0000000000400000-0x000000000060E000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/340-124-0x0000000010000000-0x0000000010192000-memory.dmp	family_gh0strat
behavioral1/memory/340-127-0x0000000000400000-0x000000000060E000-memory.dmp	family_gh0strat
behavioral1/memory/340-137-0x0000000000400000-0x000000000060E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe	aspack_v212_v242

Executes dropped EXE 4 IoCs

Processes:

Project.exemusic.exe_config.exe_config.exe

pid process

1748 Project.exe
340 music.exe
1904 _config.exe
588 _config.exe

pid	process
1748	Project.exe
340	music.exe
1904	_config.exe
588	_config.exe

Loads dropped DLL 9 IoCs

Processes:

电子发票.exeProject.exe

pid	process
1752	电子发票.exe
1752	电子发票.exe
1752	电子发票.exe
1752	电子发票.exe
1748	Project.exe
1748	Project.exe
1748	Project.exe
1748	Project.exe
1748	Project.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

music.exe

description	ioc	process
File opened (read-only)	\??\U:	music.exe
File opened (read-only)	\??\W:	music.exe
File opened (read-only)	\??\F:	music.exe
File opened (read-only)	\??\I:	music.exe
File opened (read-only)	\??\K:	music.exe
File opened (read-only)	\??\R:	music.exe
File opened (read-only)	\??\T:	music.exe
File opened (read-only)	\??\Z:	music.exe
File opened (read-only)	\??\G:	music.exe
File opened (read-only)	\??\H:	music.exe
File opened (read-only)	\??\Q:	music.exe
File opened (read-only)	\??\V:	music.exe
File opened (read-only)	\??\X:	music.exe
File opened (read-only)	\??\E:	music.exe
File opened (read-only)	\??\J:	music.exe
File opened (read-only)	\??\L:	music.exe
File opened (read-only)	\??\O:	music.exe
File opened (read-only)	\??\P:	music.exe
File opened (read-only)	\??\S:	music.exe
File opened (read-only)	\??\Y:	music.exe
File opened (read-only)	\??\B:	music.exe
File opened (read-only)	\??\M:	music.exe
File opened (read-only)	\??\N:	music.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

music.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	music.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	music.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

music.exe

pid	process
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe
340	music.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

helppane.exe

description pid process

Token: SeTakeOwnershipPrivilege 2020 helppane.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid process

2020 helppane.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

helppane.exe

pid process

2020 helppane.exe
2020 helppane.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2020	helppane.exe

pid	process
2020	helppane.exe

pid	process
2020	helppane.exe
2020	helppane.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

电子发票.exeProject.exehelppane.exe_config.exe

description	pid	process	target process
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1752 wrote to memory of 1748	1752	电子发票.exe	Project.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 340	1748	Project.exe	music.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 1748 wrote to memory of 1904	1748	Project.exe	_config.exe
PID 2020 wrote to memory of 588	2020	helppane.exe	_config.exe
PID 2020 wrote to memory of 588	2020	helppane.exe	_config.exe
PID 2020 wrote to memory of 588	2020	helppane.exe	_config.exe
PID 2020 wrote to memory of 588	2020	helppane.exe	_config.exe
PID 588 wrote to memory of 1792	588	_config.exe	reg.exe
PID 588 wrote to memory of 1792	588	_config.exe	reg.exe
PID 588 wrote to memory of 1792	588	_config.exe	reg.exe
PID 588 wrote to memory of 1792	588	_config.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\电子发票.exe
"C:\Users\Admin\AppData\Local\Temp\电子发票.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe
"C:\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:340

C:\Users\Admin\AppData\Local\Temp\_config.exe
"C:\Users\Admin\AppData\Local\Temp\_config.exe"
3⤵
- Executes dropped EXE
PID:1904

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\_config.exe
"C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nnpppprrrr" /f
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nnpppprrrr" /f
3⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\ROAMING\NNPPPPRRRR\MUSIC.EXE
Filesize
29.0MB

MD5
0eced94273a76722b8867efad60b9c4c

SHA1
c11788a3d35d6ed77d696fbdde22ad5c3bf86e3b

SHA256
36fadbc7a0058168dc9f341447cd8e32021bbe49d88ee23a3486d8dc7b58b863

SHA512
caa256c921d4c67ed8ebc308619b83003a63e45fc592285323fbfc4541c0b9a26e8f156e8d990bbb5a35e44ce7b69aa1fd6c31f8ca299ef5065c800128cd4237

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vmprotectsdk32.dll
Filesize
98KB

MD5
29e0b67635a30d87d929bc1614eff68f

SHA1
180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

SHA256
b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

SHA512
68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.lnk
Filesize
2KB

MD5
422eef926f45aa3af67a0d5c575f6cdd

SHA1
5f56073d943f6154de37b6a23408b60b0e99e714

SHA256
dc7c6f61f776af6ac92c572e04c8965688dd185aaa4ca687878d931074a8ac1d

SHA512
dc7eeca707acd45cb01d257fe4ba177c3bf567766f788efe06b3f605b774c1179d81180bc4b85a665744fcc90f7f317abd4ed4f6c1c996044267a6c03cdc6923

Download Submit
C:\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe
Filesize
29.0MB

MD5
0eced94273a76722b8867efad60b9c4c

SHA1
c11788a3d35d6ed77d696fbdde22ad5c3bf86e3b

SHA256
36fadbc7a0058168dc9f341447cd8e32021bbe49d88ee23a3486d8dc7b58b863

SHA512
caa256c921d4c67ed8ebc308619b83003a63e45fc592285323fbfc4541c0b9a26e8f156e8d990bbb5a35e44ce7b69aa1fd6c31f8ca299ef5065c800128cd4237

Download Submit
C:\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe
Filesize
29.0MB

MD5
0eced94273a76722b8867efad60b9c4c

SHA1
c11788a3d35d6ed77d696fbdde22ad5c3bf86e3b

SHA256
36fadbc7a0058168dc9f341447cd8e32021bbe49d88ee23a3486d8dc7b58b863

SHA512
caa256c921d4c67ed8ebc308619b83003a63e45fc592285323fbfc4541c0b9a26e8f156e8d990bbb5a35e44ce7b69aa1fd6c31f8ca299ef5065c800128cd4237

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
Filesize
1.1MB

MD5
c78e5127eb6418fc9ec35e6a2d383520

SHA1
540d659e20014dbe395968b66192a47c3a4f3b90

SHA256
f3971e492b996d5d6e5c6b4161abdda44dc09a90d152071f877bc9d8f1769984

SHA512
939319ddb31a1fdc9cd3f61fa2df0f58018c3e8b31de7bbeb69faa16b0795e37daaef48b5e47ccb62ea47d38cefa0534a341c41caf381252cddfa2693ed76de8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK32.dll
Filesize
98KB

MD5
29e0b67635a30d87d929bc1614eff68f

SHA1
180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

SHA256
b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

SHA512
68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

Download Submit
\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe
Filesize
29.0MB

MD5
0eced94273a76722b8867efad60b9c4c

SHA1
c11788a3d35d6ed77d696fbdde22ad5c3bf86e3b

SHA256
36fadbc7a0058168dc9f341447cd8e32021bbe49d88ee23a3486d8dc7b58b863

SHA512
caa256c921d4c67ed8ebc308619b83003a63e45fc592285323fbfc4541c0b9a26e8f156e8d990bbb5a35e44ce7b69aa1fd6c31f8ca299ef5065c800128cd4237

Download Submit
\Users\Admin\AppData\Roaming\nnpppprrrr\music.exe
Filesize
29.0MB

MD5
0eced94273a76722b8867efad60b9c4c

SHA1
c11788a3d35d6ed77d696fbdde22ad5c3bf86e3b

SHA256
36fadbc7a0058168dc9f341447cd8e32021bbe49d88ee23a3486d8dc7b58b863

SHA512
caa256c921d4c67ed8ebc308619b83003a63e45fc592285323fbfc4541c0b9a26e8f156e8d990bbb5a35e44ce7b69aa1fd6c31f8ca299ef5065c800128cd4237

Download Submit
memory/340-124-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/340-127-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/340-137-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/340-135-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/340-114-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/1748-76-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-125-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-77-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-78-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1748-112-0x0000000003C90000-0x0000000003E9E000-memory.dmp

Filesize
2.1MB

Download
memory/1748-116-0x0000000003C90000-0x0000000003E9E000-memory.dmp

Filesize
2.1MB

Download
memory/1748-75-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-139-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-74-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1748-142-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/1752-70-0x0000000003290000-0x00000000035A9000-memory.dmp

Filesize
3.1MB

Download
memory/2020-136-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download