gh0strat | ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Guduak Private.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral1/memory/4400-133-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000231eb-145.dat	family_gh0strat
behavioral1/files/0x00080000000231eb-144.dat	family_gh0strat
behavioral1/memory/4416-148-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral1/memory/4400-154-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral1/files/0x00090000000231f3-158.dat	family_gh0strat
behavioral1/files/0x00090000000231f3-159.dat	family_gh0strat
behavioral1/memory/4416-174-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral1/files/0x00090000000231f3-178.dat	family_gh0strat
behavioral1/files/0x00090000000231f3-182.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000231f0-135.dat	acprotect
behavioral1/files/0x00070000000231f0-137.dat	acprotect
behavioral1/files/0x000400000001e816-151.dat	acprotect
behavioral1/files/0x000400000001e816-149.dat	acprotect
behavioral1/files/0x000400000001e816-147.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4416	ijsirtytri

Loads dropped DLL 7 IoCs

pid	Process
4400	Guduak Private.exe
4400	Guduak Private.exe
4416	ijsirtytri
4416	ijsirtytri
3700	svchost.exe
2224	svchost.exe
2632	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pakjrdmpsy	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\phohypwgsf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\phfmwyeygq	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2600	3700	WerFault.exe	86
1692	2224	WerFault.exe	91
4032	2632	WerFault.exe	94

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4416	ijsirtytri
4416	ijsirtytri
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeRestorePrivilege	4416	ijsirtytri
Token: SeBackupPrivilege	4416	ijsirtytri
Token: SeBackupPrivilege	4416	ijsirtytri
Token: SeRestorePrivilege	4416	ijsirtytri
Token: SeDebugPrivilege	3088	taskmgr.exe
Token: SeSystemProfilePrivilege	3088	taskmgr.exe
Token: SeCreateGlobalPrivilege	3088	taskmgr.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeRestorePrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeSecurityPrivilege	3700	svchost.exe
Token: SeSecurityPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeSecurityPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeSecurityPrivilege	3700	svchost.exe
Token: SeBackupPrivilege	3700	svchost.exe
Token: SeRestorePrivilege	3700	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeRestorePrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeSecurityPrivilege	2632	svchost.exe
Token: SeSecurityPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeSecurityPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeSecurityPrivilege	2632	svchost.exe
Token: SeBackupPrivilege	2632	svchost.exe
Token: SeRestorePrivilege	2632	svchost.exe
Token: 33	3088	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3088	taskmgr.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4400	Guduak Private.exe
4416	ijsirtytri

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4416	4400	Guduak Private.exe	85
PID 4400 wrote to memory of 4416	4400	Guduak Private.exe	85
PID 4400 wrote to memory of 4416	4400	Guduak Private.exe	85

C:\Users\Admin\AppData\Local\Temp\Guduak Private.exe
"C:\Users\Admin\AppData\Local\Temp\Guduak Private.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400
- \??\c:\users\admin\appdata\local\ijsirtytri
  "C:\Users\Admin\AppData\Local\Temp\Guduak Private.exe" a -sc:\users\admin\appdata\local\temp\guduak private.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1028
  2⤵
  - Program crash
  PID:2600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
1⤵
PID:3888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1108
  2⤵
  - Program crash
  PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2224 -ip 2224
1⤵
PID:2684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 936
  2⤵
  - Program crash
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2632 -ip 2632
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DRM\%SESSIONNAME%\yybtw.cc3

Filesize
19.0MB

MD5
cb9ba89f01ce8c35508632c618fad0a3

SHA1
307bbd6e038f6c9ef15de98884cda3c82ac973e1

SHA256
920d4fac40acdebe8612e65cea006933cbb4656eb8d42d7d9472fee76ce08a67

SHA512
8fe6ccc085013d20956e557a044262c01208de04ef5af2e1be019aa8934f00cb05ed4c5197467146dcdc4b7d81662a06c854e70116d090b0e22cc5998a9c6158

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\yybtw.cc3

Filesize
19.0MB

MD5
cb9ba89f01ce8c35508632c618fad0a3

SHA1
307bbd6e038f6c9ef15de98884cda3c82ac973e1

SHA256
920d4fac40acdebe8612e65cea006933cbb4656eb8d42d7d9472fee76ce08a67

SHA512
8fe6ccc085013d20956e557a044262c01208de04ef5af2e1be019aa8934f00cb05ed4c5197467146dcdc4b7d81662a06c854e70116d090b0e22cc5998a9c6158

Download Submit
C:\ProgramData\DRM\%SESSIONNAME%\yybtw.cc3

Filesize
19.0MB

MD5
cb9ba89f01ce8c35508632c618fad0a3

SHA1
307bbd6e038f6c9ef15de98884cda3c82ac973e1

SHA256
920d4fac40acdebe8612e65cea006933cbb4656eb8d42d7d9472fee76ce08a67

SHA512
8fe6ccc085013d20956e557a044262c01208de04ef5af2e1be019aa8934f00cb05ed4c5197467146dcdc4b7d81662a06c854e70116d090b0e22cc5998a9c6158

Download Submit
C:\Users\Admin\AppData\Local\Temp\pni879F.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\pni879F.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\pni879F.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmi7BD7.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmi7BD7.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
C:\Users\Admin\AppData\Local\ijsirtytri

Filesize
22.4MB

MD5
09480c49b23518809ba0e28a4be1690e

SHA1
37c4a6f4ed8199397f2cc31d72bbce2b0cc14bba

SHA256
b36e043eb7b3f76855de20efc58aa41dd14e3ef121546878477870b51754a866

SHA512
bf9138dd919d5898e9c0a965604bcffe09cc7647a28153186ddb6eee5ba8de559a6f9a667d5ad09679872e9da99651c7030deb5acad71d4aab9930a05188a930

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
200B

MD5
29ca770366079590b48df3a0bf278e66

SHA1
a35266f4bc17f89c7b6d284a11ff3a38da9fded1

SHA256
e4841b63456b9e43527f5992bf9ebcc189bb046a38b3ba18746848e8c9039103

SHA512
da21f7effc0814adff44ab7eb4866ef866159ada4da66a783d719e338d9b3409a31659aeed9a11b6c5cbf3c69083d278631c9c8d9ce631aa32d78d5bcf77f055

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
300B

MD5
30416171d4948920916efbd4560933c7

SHA1
3d241d6efd0e718aad1ba9a91d66e591086c75b2

SHA256
6c672d84b03688f31366a73e3e9418dfa523e696de88abffaf87c3ab0afa9ec8

SHA512
1ec5e3859548a75e406381f3fa52cfc2bcdf0f095c159000627543a76dcb1c6c312bdb73123252c7a7cbc400fc4ff131edff9a1a9644c895c0fd16f28acf6526

Download Submit
\??\c:\programdata\drm\%sessionname%\yybtw.cc3

Filesize
19.0MB

MD5
cb9ba89f01ce8c35508632c618fad0a3

SHA1
307bbd6e038f6c9ef15de98884cda3c82ac973e1

SHA256
920d4fac40acdebe8612e65cea006933cbb4656eb8d42d7d9472fee76ce08a67

SHA512
8fe6ccc085013d20956e557a044262c01208de04ef5af2e1be019aa8934f00cb05ed4c5197467146dcdc4b7d81662a06c854e70116d090b0e22cc5998a9c6158

Download Submit
\??\c:\users\admin\appdata\local\ijsirtytri

Filesize
22.4MB

MD5
09480c49b23518809ba0e28a4be1690e

SHA1
37c4a6f4ed8199397f2cc31d72bbce2b0cc14bba

SHA256
b36e043eb7b3f76855de20efc58aa41dd14e3ef121546878477870b51754a866

SHA512
bf9138dd919d5898e9c0a965604bcffe09cc7647a28153186ddb6eee5ba8de559a6f9a667d5ad09679872e9da99651c7030deb5acad71d4aab9930a05188a930

Download Submit
memory/2224-179-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/2632-183-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/3088-172-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-173-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-163-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-162-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-167-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-168-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-169-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-170-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-171-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3088-161-0x0000023E0BC90000-0x0000023E0BC91000-memory.dmp

Filesize
4KB

Download
memory/3700-176-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/4400-133-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4400-154-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4400-146-0x0000000001F70000-0x0000000001FE4000-memory.dmp

Filesize
464KB

Download
memory/4400-140-0x0000000001F70000-0x0000000001FE4000-memory.dmp

Filesize
464KB

Download
memory/4416-174-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/4416-175-0x0000000000570000-0x00000000005E4000-memory.dmp

Filesize
464KB

Download
memory/4416-160-0x0000000000570000-0x00000000005E4000-memory.dmp

Filesize
464KB

Download
memory/4416-155-0x0000000000570000-0x00000000005E4000-memory.dmp

Filesize
464KB

Download
memory/4416-148-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download