gh0strat | 9fb6f52969e1ef67a34e42113fa9b97fc0160245aaebd9d0b3b945583f504c97

Analysis

max time kernel
34s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2024, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sogou_pinyin_guanwang.exe
Size

181.1MB
MD5

1c87dc067d9602f265cd0f0896de4a24
SHA1

b02ab6f17bab80a57b7984512c1ea0b617fe9b18
SHA256

9fb6f52969e1ef67a34e42113fa9b97fc0160245aaebd9d0b3b945583f504c97
SHA512

1f6bfa7b63c9135b615d621c6bf75815c842980f95a999fff6372825d856eb4e620673505b4d839dfcbec6397715807d4d4da16abd81c3e964acf9f3656a0e1a
SSDEEP

3145728:Z/kfnZZRUWXNShZNxlb3oeUFRGp/K3GgUCoQKAQ6h398AWXNOQ14BDndvdX6Sy7R:SnTLXwXNf4eUSJK39U8KAQ6hN8AW9H1R

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1172-26160-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/1172-26180-0x0000000000400000-0x0000000001F5E000-memory.dmp	purplefox_rootkit
behavioral2/memory/2280-26183-0x0000000000400000-0x0000000001F5E000-memory.dmp	purplefox_rootkit
behavioral2/memory/15456-91143-0x0000000000400000-0x0000000001F5E000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1172-26160-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/1172-26180-0x0000000000400000-0x0000000001F5E000-memory.dmp	family_gh0strat
behavioral2/memory/2280-26183-0x0000000000400000-0x0000000001F5E000-memory.dmp	family_gh0strat
behavioral2/memory/15456-91143-0x0000000000400000-0x0000000001F5E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe

Executes dropped EXE 4 IoCs

pid	Process
1172	cepvynkl.exe
2280	cepvynkl.exe
15456	Meume.exe
15512	cepvynkl.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Meume.exe	cepvynkl.exe
File opened for modification	C:\Windows\SysWOW64\Meume.exe	cepvynkl.exe
File opened for modification	C:\Windows\SysWOW64\Meume.exe	cepvynkl.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1172	cepvynkl.exe
2280	cepvynkl.exe
1172	cepvynkl.exe
2280	cepvynkl.exe
1172	cepvynkl.exe
2280	cepvynkl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
6868	38144	WerFault.exe	119
6880	47928	WerFault.exe	121
7008	14252	WerFault.exe	112
7016	35160	WerFault.exe	118
65176	79152	WerFault.exe	146
65104	61148	WerFault.exe	143
65088	34260	WerFault.exe	147
41576	66240	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cepvynkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cepvynkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cepvynkl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
15476	cmd.exe
24380	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2280	cepvynkl.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 1172	4156	sogou_pinyin_guanwang.exe	94
PID 4156 wrote to memory of 1172	4156	sogou_pinyin_guanwang.exe	94
PID 4156 wrote to memory of 1172	4156	sogou_pinyin_guanwang.exe	94
PID 4156 wrote to memory of 1736	4156	sogou_pinyin_guanwang.exe	96
PID 4156 wrote to memory of 1736	4156	sogou_pinyin_guanwang.exe	96
PID 4156 wrote to memory of 1736	4156	sogou_pinyin_guanwang.exe	96
PID 1736 wrote to memory of 2280	1736	sogou_pinyin_guanwang.exe	97
PID 1736 wrote to memory of 2280	1736	sogou_pinyin_guanwang.exe	97
PID 1736 wrote to memory of 2280	1736	sogou_pinyin_guanwang.exe	97
PID 1736 wrote to memory of 4412	1736	sogou_pinyin_guanwang.exe	98
PID 1736 wrote to memory of 4412	1736	sogou_pinyin_guanwang.exe	98
PID 1736 wrote to memory of 4412	1736	sogou_pinyin_guanwang.exe	98
PID 2280 wrote to memory of 15476	2280	cepvynkl.exe	102
PID 2280 wrote to memory of 15476	2280	cepvynkl.exe	102
PID 2280 wrote to memory of 15476	2280	cepvynkl.exe	102
PID 4412 wrote to memory of 15512	4412	sogou_pinyin_guanwang.exe	103
PID 4412 wrote to memory of 15512	4412	sogou_pinyin_guanwang.exe	103
PID 4412 wrote to memory of 15512	4412	sogou_pinyin_guanwang.exe	103
PID 4412 wrote to memory of 15532	4412	sogou_pinyin_guanwang.exe	104
PID 4412 wrote to memory of 15532	4412	sogou_pinyin_guanwang.exe	104
PID 4412 wrote to memory of 15532	4412	sogou_pinyin_guanwang.exe	104

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
  "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe > nul
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:24380
- C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
  "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
    "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe > nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:15476
- - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
    "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
      "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:15512
  - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
      "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:15532
    - - C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        5⤵
        
        PID:34236
    - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        5⤵
        
        PID:36312
      - C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        6⤵
        
        PID:39228
      - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        6⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        7⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14252 -s 528
        8⤵
        Program crash
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        7⤵
        
        PID:23808
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        8⤵
        
        PID:39524
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        8⤵
        
        PID:27372
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        9⤵
        
        PID:38144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 38144 -s 512
        10⤵
        Program crash
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        9⤵
        
        PID:20424
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        10⤵
        
        PID:50884
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        10⤵
        
        PID:46816
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        11⤵
        
        PID:33448
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        12⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        12⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        13⤵
        
        PID:61148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 61148 -s 516
        14⤵
        Program crash
        
        PID:65104
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        13⤵
        
        PID:68896
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        14⤵
        
        PID:34260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 34260 -s 516
        15⤵
        Program crash
        
        PID:65088
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        14⤵
        
        PID:17792
        
        C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe"
        15⤵
        
        PID:53060
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        15⤵
        
        PID:66240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 66240 -s 1604
        16⤵
        Program crash
        
        PID:41576

C:\Windows\SysWOW64\Meume.exe
C:\Windows\SysWOW64\Meume.exe -auto
1⤵
- Executes dropped EXE
PID:15456
- C:\Windows\SysWOW64\Meume.exe
  C:\Windows\SysWOW64\Meume.exe -acsi
  2⤵
  PID:35160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 35160 -s 484
    3⤵
    - Program crash
    PID:7016

C:\Windows\SysWOW64\Meume.exe
C:\Windows\SysWOW64\Meume.exe -auto
1⤵
PID:47928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 47928 -s 484
  2⤵
  - Program crash
  PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 38144 -ip 38144
1⤵
PID:6816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 47928 -ip 47928
1⤵
PID:6800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 14252 -ip 14252
1⤵
PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 35160 -ip 35160
1⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 50884 -ip 50884
1⤵
PID:6712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 39524 -ip 39524
1⤵
PID:6820

C:\Windows\SysWOW64\Meume.exe
C:\Windows\SysWOW64\Meume.exe -auto
1⤵
PID:79152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 79152 -s 484
  2⤵
  - Program crash
  PID:65176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 79152 -ip 79152
1⤵
PID:22456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 61148 -ip 61148
1⤵
PID:16592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 34260 -ip 34260
1⤵
PID:57880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cepvynkl.exe

Filesize
27.4MB

MD5
d4393a1e49cf4d2b2d61efbe6b12c77a

SHA1
ed9c3aeafba0c05be7853d0933f0776290ed6943

SHA256
54784ca77b079b5f45366eeb666ed822949f985a0ee76a1945a0f9823733494d

SHA512
b5aa0c53253b219c6a363cc0ec8491bc990005fd0f982d72a3d9b7be3281b81357b233e96b51d336a2b6c59d42a06f472bba1b8a54482e3b5711102821d4048d

Download Submit
memory/1172-26160-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/1172-13-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-14-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/1172-5282-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/1172-8595-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/1172-26180-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-26152-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-26151-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-26154-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-26156-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/1172-26157-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-26158-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-26166-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-26168-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-26159-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-15928-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/2280-26153-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-11870-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/2280-26181-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-26183-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/2280-3544-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/14252-70727-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/14252-73712-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/14252-60070-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/15456-32142-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/15456-71315-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-35947-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/15456-72728-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-52820-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-91143-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-26189-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/15456-55973-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-69879-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15456-71314-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15512-54763-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15512-74325-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15512-74960-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15512-36580-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/15512-61598-0x0000000000400000-0x0000000001F5E000-memory.dmp

Filesize
27.4MB

Download
memory/15512-39632-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/15512-26815-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/34236-67998-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/34236-53545-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/34236-62564-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/39228-60394-0x0000000076690000-0x0000000076830000-memory.dmp

Filesize
1.6MB

Download
memory/39228-64941-0x00000000771B0000-0x000000007722A000-memory.dmp

Filesize
488KB

Download
memory/39228-52327-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download
memory/39524-74445-0x0000000077380000-0x0000000077595000-memory.dmp

Filesize
2.1MB

Download