gh0strat | 7f90d34e5154e6b3be192629776dd556785799a62b74ec816bfd2d0caf82a06b

Analysis

max time kernel
90s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d355265faef465587580732d8401886.exe
Size

148KB
MD5

7d355265faef465587580732d8401886
SHA1

0c64fa523ebf294cbe7e43267dbc7e0f9534b15a
SHA256

7f90d34e5154e6b3be192629776dd556785799a62b74ec816bfd2d0caf82a06b
SHA512

5807a293860b85a1faad2c51f9b21366e42f582d2adbb49ef4900d9090eb70625c8001c21aa9881b2ed4549670acf96b4fadbaf9816e3e7ce29b79ec8d2a472e
SSDEEP

3072:lhT2137DYmJRJKph0QinoLKY6rlmkrylwdxMnoRvsiKm5NHVMSGkN:lhRqJkLLgrl8ltnbi5N1MSG6

Score

10^/10

gh0strat evasion persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231e3-5.dat	family_gh0strat
behavioral2/memory/2028-11-0x0000000000400000-0x0000000000436000-memory.dmp	family_gh0strat
behavioral2/memory/2028-24-0x0000000000400000-0x0000000000436000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\windows.exe = "C:\\windows.exe:*:enabled:@shell32.dll,-1"	windows.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windows.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	windows.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	windows.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D57E229-92BE-49d8-9EEC-22A7D1253BB4}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D57E229-92BE-49d8-9EEC-22A7D1253BB4}\stubpath = "C:\\Windows\\system32\\insvxwpco.exe"	windows.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	7d355265faef465587580732d8401886.exe

Executes dropped EXE 1 IoCs

pid	Process
2028	windows.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\insvxwpco.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\insvxwpco.exe_lang.ini	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3596	2028	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	windows.exe
Token: SeDebugPrivilege	2028	windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2028	1320	7d355265faef465587580732d8401886.exe	85
PID 1320 wrote to memory of 2028	1320	7d355265faef465587580732d8401886.exe	85
PID 1320 wrote to memory of 2028	1320	7d355265faef465587580732d8401886.exe	85
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 616	2028	windows.exe	4
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 672	2028	windows.exe	2
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 756	2028	windows.exe	8
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 760	2028	windows.exe	82
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 788	2028	windows.exe	81
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 908	2028	windows.exe	80
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 956	2028	windows.exe	79
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 60	2028	windows.exe	9
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 392	2028	windows.exe	10
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 652	2028	windows.exe	78
PID 2028 wrote to memory of 1064	2028	windows.exe	77

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:756
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3748

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3628
- C:\Users\Admin\AppData\Local\Temp\7d355265faef465587580732d8401886.exe
  "C:\Users\Admin\AppData\Local\Temp\7d355265faef465587580732d8401886.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\windows.exe
    "C:\windows.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 848
      4⤵
      Program crash
      PID:3596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3524

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2956

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2868

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2720

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1952

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:516

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4348

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4920

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3904

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2028 -ip 2028
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows.exe

Filesize
201KB

MD5
02d4c9a92b4d17cec860b4d6089d7453

SHA1
1f43da3736724fbc13c54120369484f7dbe59290

SHA256
afc33ff93923983c4d4d70281cc840b7de3d99e070a280f5376082b529eb211a

SHA512
de931cca11ed7181f395258eb3bef65aae301a97357311eceea331ea4d23970519bd812b6eca85718a0779119eac5b429193fec2a47951bcb02210b08339c34e

Download Submit
memory/2028-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-13-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2028-14-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/2028-15-0x00000000779F3000-0x00000000779F4000-memory.dmp

Filesize
4KB

Download
memory/2028-16-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2028-20-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2028-21-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2028-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download