gh0strat | hxxp://sogousrf[.]com

Analysis

max time kernel
117s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sogousrf.com

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1528-13280-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral1/memory/1528-13289-0x0000000000400000-0x0000000001F8C000-memory.dmp	purplefox_rootkit
behavioral1/memory/7676-26433-0x0000000000400000-0x0000000001F8C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1528-13280-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral1/memory/1528-13289-0x0000000000400000-0x0000000001F8C000-memory.dmp	family_gh0strat
behavioral1/memory/7676-26433-0x0000000000400000-0x0000000001F8C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Executes dropped EXE 1 IoCs

Processes:

sogou_pinyin_guanwang.exe

pid process

3436 sogou_pinyin_guanwang.exe

pid	process
3436	sogou_pinyin_guanwang.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2464-13298-0x0000000000400000-0x00000000006DD000-memory.dmp	upx
behavioral1/memory/2464-26434-0x0000000000400000-0x00000000006DD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

sogou_pinyin_guanwang.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sogou_pinyin_guanwang.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

62072 PING.EXE
27920 cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe

pid	process
62072	PING.EXE
27920	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768056155349293"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

62072 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4512 chrome.exe
4512 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4512 chrome.exe
4512 chrome.exe
4512 chrome.exe
4512 chrome.exe
4512 chrome.exe

pid	process
62072	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4512 wrote to memory of 2152	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 2152	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 4936	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 2164	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 2164	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe
PID 4512 wrote to memory of 3192	4512	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://sogousrf.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd1ad1cc40,0x7ffd1ad1cc4c,0x7ffd1ad1cc58
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3024,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3296,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4656,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5292,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5264,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5400,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4536
- C:\Users\Admin\Downloads\sogou_pinyin_guanwang.exe
  "C:\Users\Admin\Downloads\sogou_pinyin_guanwang.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe
    "C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe"
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe > nul
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:27920
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:62072
- - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
    "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
    3⤵
    PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4916,i,3236144575482737798,721897192182633735,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:16244

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4492

C:\Windows\SysWOW64\Tlctl.exe
C:\Windows\SysWOW64\Tlctl.exe -auto
1⤵
PID:7676
- C:\Windows\SysWOW64\Tlctl.exe
  C:\Windows\SysWOW64\Tlctl.exe -acsi
  2⤵
  PID:27928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
453180f9ee04b77bdf27058db9a17505

SHA1
c1a64187444627e5b812493dbb8d634e36542ee0

SHA256
855b3b6cc243c4680f49d98d66f721015119f8d6d345a3d64bd387fdc9cfa524

SHA512
e60840f72d395b137d5706119aff0c7e3fed6e02c2831dd4dde7c07c48a5690db92ca8843b2cf0093d93968b865001ed75bb65f46ec70d9e3a2e5e6eb8434d24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
384e22db5790c8f2360d5a51b82eb323

SHA1
b8d6c14a5ba056e57b9b75b22f86a35ab0bfd0bb

SHA256
c210f5de5929345c7c23590e3b75ad0e91d269b6a32927fd63fae3daaeaa3e30

SHA512
3a39c5759009720d3b8d2e190b13eece30dcc1b18e7b6393810ba651cbc4cdfc1c4c65509ed4000829f3fece0e9cb6ef602589a3cd6cb654d37f0e691b42bf60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f80d0613424e19b0b041ba660d0a9a1c

SHA1
f269b96d905ac40745818d5cd65452b6f8fcd40d

SHA256
574bb7f7f9106239a4af6b26483ad70ae80fa0ebf150498ed89545e8fcad1f26

SHA512
0ee90ec608af3e2b676c467bf1d6ae62a702cf5fb70d5405747ad67f7d8614c1d645fe47430a8cebf16ed84386b9cb931dbc820b98089c274017744546331624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
746cf1938441e0cdfaae8f4ac45f7b39

SHA1
781044915843757e45f4c25fc29df5506d360627

SHA256
abc4a2dd7f83e4461d5b494c1ad17836cdb142c5f6d5f911eeb07da3abd12f89

SHA512
43d34cc91899362417736936b958245b80c7ea1eec13a3ae10ba83f29ea51df4a3ee4c918c9945a8b22fabe671a34dd247aa217a4508b646dd1054156ec6a2a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f79c3f895f9e6a2c40c5af34ce0c117

SHA1
11ef74676142fcda7945ca544582e1d6ea5a7f0a

SHA256
ff7cd2aad10d4543b1548b59880961871081aa1bdea9ee9b7db1f608ec88f97e

SHA512
a7e28ed097fdf469a8512352e107bb516fa703866eac1ab5383aa63b8b8c354476cd5d76340528b88738e6f27b21f7f622b9cfa79177787b1058c37a76dfcd6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07f8ecca94bca008dd670b07c0aece73

SHA1
5b6305fb93eb8afca72f1f03f75a38fc421316b4

SHA256
8f1632085323d2d9e39eafcafbd582be781fe5bf60c5b12837751804fe8fbe20

SHA512
0af1dbb60b9fc505215c52b91747d1058d68eff63087c812178d5412a3c07fd125bd0d5f3551bad97b20cf2c69a0713a4506669c3803375c0b6c291fca712e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08324934a873fd8cd11dc009e57bf1d3

SHA1
2136b9c966221007a15e296ce4e1a4c198ab2d64

SHA256
1dbb9d47337a4e78b8c5da7c31293680118a9d603121f05f4a2784a576ec87a3

SHA512
da3164c297dc2bf5dd76be1d17941720aab2f5637d26bf5ea748e38b1d3a98614ea46c89b09bdd98e032da0ad3b4898bfee90289d572e7c4d59315eb2f42617b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ecfe989e0a7d983283cfa2732be68686

SHA1
438e97d569f786b204de7e3d60dc0ab156f8a5bc

SHA256
0bb7f00223b13b21d6ff651d0098ec4717b4ed47d519e8678f6a6c55961e4e61

SHA512
cc58db4e9f55f1b053fac0f1cfc0d3730988346a3bb2db23e4669389f1407ae48b50e0efb1496621b90e2c403eaa516d61a43832a023d46d0e53acdf637e0ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b213283ff3d2cd16fd6f11a1378715a

SHA1
2db623813ae947e690e78519661666f152b821f7

SHA256
75366d35580c80ad8e1f35b1b95180e10edbbbbf065142b412743eb464b7febe

SHA512
5f5170d68c24a5d45d2a67691ae1f2b93058602dc8fbc8bb78963432ec07770439600668574845822a2445b9ef51d7b25167edad4a1c48ac521fe1fec4237bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c8a8b293fac409cc6c8204cbc228dbe

SHA1
1b0c1eaff3b0bcf4bdeb1237707200bea751dbf8

SHA256
8727d9bee2a9efdf041cc99a6685f810d92e0d0f400739d1d9a4a8eb77bb697c

SHA512
745c48172fb63c0f57ddb9ae73a0c1c1344ac5a48a14a178e71d210aa0c932093df2a17c366a7518afe232f1e52c1183b6265c12e29b99a9bdd2daa58227259a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
beb8227a83a215e01650c5f6200a322f

SHA1
8985d29094157bfdc89507e96e9460070706719a

SHA256
d835861ed8680cda43a147991ba7f319c90450599a1778c45d42f72b6f93f41c

SHA512
56f280b4effa5f0d72b3eb531bff565a8f038cc30c43b2d9ba0a7e49bfec85819bf2b302b57fbc2a043399db483757b23e5708f4dc954647d4b55be2bab1d262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e6b6675fd7a5eb08dcbdd6c36769cef

SHA1
2eb7568d63e8707709ffa0e4fa5220f68b7f4cfd

SHA256
ee251c3b49389ce8203fae2f323f9f869ba7d8b8f48f7afd581b9c9f308201e9

SHA512
c245fcf3eb9c437166b9d4238350744c48591915d61016da98c00c4b0d27d9645226d548e7f010d16c48fbba827b1dce73fbfd6660ba0b3c32c36b333e34291d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb87c84a025bdc6426d288c719857515

SHA1
354c4bd61702ce9d1b7fc61cd96afea734b94d00

SHA256
e8d7c587bc59443deee0a412cb3cb7fd96d2b2f432622576d45a5821b058ca58

SHA512
d03bc223fba82c29c3508e59e16226c1de55d2b6ff400270d2a16de45591ade139768680e4c07de26741b1653c71ed667e1f1e393db5fe1490c6abed50b42f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
8202b3490b334b0234cc77840e647dfc

SHA1
887cc1e0a49e1ce7adab1beaa84b3e9670d7a428

SHA256
b1f31cf2efe8df40567290aba9f3c357fb8f1f9a867fd6f2a618d0bec088da9f

SHA512
d3309ced69f6df357cc5a4e57dfee01c6794e8225da903ad1e35374dd68334d86dacaf254bac424f261c27b1b7b939db2dc30ab7bf6e8d031e5778eaa66e38e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
eeb162988cac4418fdc48115919b6e20

SHA1
58872cf1748b5aa8bd54b84d5ccb3290cb114a3d

SHA256
fc6f4fdfd6d490fd9e230de40b3034619bd98643d4cdefaa0cfaa3abcffee205

SHA512
3d1a4a3f4a122d5ae312f909569dede5d12184e2eb510b66cb97dfb15753b6ebc572407b534f2d848fee373f5983de99146374368df387a3847ac8c320e43175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
332bafeab8d8714000ce58bd29f99f1b

SHA1
7e266ac76d110c4c4c057fa7bbc2f56a198b657f

SHA256
69a28412610bcf688c8083afea493add5f793efaf1f4918ea2a9234784de2931

SHA512
c824900bfbe127929fac9344b7124439623c5ac9321f9e1b768253ba47dbf4a2c2bfbf4c0d893dc072f315334c1c6096d064f8bd8ce5595d6539b80e6f17e1a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
cac01ed69e811b02513a46f370639128

SHA1
a75e4d29d43364741d3184cfc4382737cadc8fbc

SHA256
8213eb7452bbdae6d94f2467835f60cb8c0f728ee8b49bf5e3d4a38209bfc495

SHA512
4cfc4a924541e94f103875bcaba78e9376ce4387f4fbbdeb2d5a586758a5750aada1c8a37ccf9acb9d5965a4c4bfa7707daca9948bce8319855d61022ecb4ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJ71A3WZ4KMcq9l.exe

Filesize
100KB

MD5
4c6426ac7ef186464ecbb0d81cbfcb1e

SHA1
5a6918eebd9d635e8f632e3ef34e3792b1b5ec13

SHA256
f627ca4c2c322f15db26152df306bd4f983f0146409b81a4341b9b340c365a16

SHA512
5f6dbea410beee80292b16df6fcc767ae6baf058ab4c38fa6a4fc72b7828374af42bd6da094eada2ad006d1a0754f9ff7bdd94c0ef9540e6651729b74fb9ea46

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe

Filesize
27.5MB

MD5
fc7f52ba7722c4beecbc550e6376a53f

SHA1
48649e85ae0181dee896cfa40369d8887bb0fb49

SHA256
7c3763106ba7b5f96ee7fc4411278737db191faf19bd0d5fd3cc4cc63f3f110a

SHA512
a401e6d587e25ac24fb47dce47468eb24250edaf5477d21d6eea7d7b8881916273034705d346519d530d61927ae80ce347d26852e71a89bb62b47747a6408c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe

Filesize
25.8MB

MD5
82cafea5780099060dddf0c7fad89f6e

SHA1
9cb85ca01a86c43dcec5e49d47d2986c66511de8

SHA256
511d7de0b3de8aa904e6e18e83cc7e1960c4a6b1af4ce64fd88d1168b5d97448

SHA512
01e4009810e85c40d85051f7053284b73937df16a8b94283f5789b53d2469de1c00f96a1ada79274d569582f5ad0338bc8a7bf0c0df9d57ac245b9f5f59f6972

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswcgosb.exe

Filesize
24.8MB

MD5
f2350dbdeb366f34e81ae85db6958a9d

SHA1
cf9a892222671dbbdc78304b50738b1b6a7634fb

SHA256
347b8e6834dfacfb07448be3c2f266e6b363ee3b447f2d33bbb8c1de18fc3763

SHA512
a70c20c586e2c39083cd7df90eeef5713f413f8d4cc92b0fe2ff63630fd698ae31028fdff8c5e2b5c593fa75c37c80b3abe9b9bc9d8c8aa69653ced39e2c1e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB464.tmp\HWSignature.dll

Filesize
138KB

MD5
dd02068ec46551327bf262153566f01b

SHA1
6ce1f9da6a5bcf58701c5f0fb48e1f35b7c340a5

SHA256
12244da2b6218993def3bac6f014da74722e41982a92df5fe3c5be477c861bb6

SHA512
8c9e22ff273e6f0cd0a98a348edc04eb9421c12583791850f38b81a04361ee27829140975022b4d38340a00c0bcf16f132929db0a0748cfebfd8a01ab9305f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB464.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
657ba46e4ff84fac76d64db09f012e88

SHA1
20d7000a6e0a4320728edca77c49ba2f9077da8e

SHA256
ba67d8f34a6841c45dfa3b332cfb95ab8a4da36c38aa33b00f61abce3003728a

SHA512
4468c3518da96f935780147e34075ff8a81eb624153ef138908b9c35e7a970c0182dc0eda78259a7286a43a62b6a4fc7d80853694b3f873b6ed265abad586475

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB464.tmp\SetupLib.dll

Filesize
6.0MB

MD5
5cdbeaa1ec6ca473b81fa2a1bfdda1e6

SHA1
c02999534067cea8c5bdf490808dc03f71e36a53

SHA256
178c9d2d567d843983bc068d51a6125d64cf6523ac197f67a1a5b7b04cf6d602

SHA512
ef6e7201370f5d4ba379a8bacc36596cc05c0a3f052e4b42cc3cffc6a8d482ac25739aaf26b48a7c971281327bfec712f202717c85636b27a4eb8cdfb79b9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB464.tmp\SetupLibNew.dll

Filesize
3.9MB

MD5
c183621f005a01d453d30b68790e8319

SHA1
546ba974e936f172162941fb21cc2b110d2a5c0f

SHA256
7633010a0eae5361c96cf7c62bc420fd5b615431129ff606a595da6df7eb66c2

SHA512
2a22e6db6d70d189b23a0692e70d829eee02cf82bd83cd8e2a0779ec62843053e55c7d6c95fd5508bdd61d7db1e1bb423ad0a79f6fb3a593d6272c8f2a0afb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB464.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Windows\SysWOW64\Tlctl.exe

Filesize
19.6MB

MD5
0e025c41471cd3ea771864121ea52109

SHA1
ae414ec6c5526156418bf2a7033402209d08af1f

SHA256
c038d9d2cdd720ff3b7a242d1f37ced9db2d15f8237b2dee7dc53b587eac3522

SHA512
d947fe1d6eadb0e0bbf7c4b9759226c63aa2bad270fc565e549fcaab0e975b4330fb011a03ef970fdc9e2bce04300b3ef3d2a0cc1f7737d223dc00e9e7d11714

Download Submit
C:\Windows\SysWOW64\Tlctl.exe

Filesize
19.8MB

MD5
fa9f63320a9f2db91e255f795ac6beec

SHA1
2ccbbf63ef654fa1ba9297f8e115837a3eaf3d88

SHA256
d2b8822c117eac357c9af66820dde7bd86c0dc3929282f59d8a62b952cb615f5

SHA512
ecde40318d5bc59e8039cae7d1778753bb7ed0e498dde5b658a66c9365d574521828d8112274690a2daaa66c80ec6ce25e410d3cb2185e28c9b0d68eed2da43a

Download Submit
C:\Windows\SysWOW64\Tlctl.exe

Filesize
18.2MB

MD5
3a55805bdd5e66758644706f80a7f2e5

SHA1
3502634ded5f8bc1d4147635ea706803d1078c62

SHA256
07a6b001f5bc6b92fe2adb675c4647c585667d240ecf6147cdd21f7569050d1a

SHA512
fb7b17ae8f0d717ed95d8727e7f5b7f05e7172ac50863de9af4a31a5049325759ee2592d120a1ee83de0aeeda1d2ba00295926f2662dec5645f60020fa09e421

Download Submit
\??\pipe\crashpad_4512_OOXSBFAMMQXZRZSS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1528-13277-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-13280-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/1528-13289-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-4080-0x0000000075490000-0x0000000075630000-memory.dmp

Filesize
1.6MB

Download
memory/1528-205-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-206-0x00000000756F0000-0x0000000075905000-memory.dmp

Filesize
2.1MB

Download
memory/1528-13279-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-13276-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-13275-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-13274-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/1528-6089-0x0000000076900000-0x000000007697A000-memory.dmp

Filesize
488KB

Download
memory/2464-26394-0x0000000005430000-0x0000000005824000-memory.dmp

Filesize
4.0MB

Download
memory/2464-26403-0x000000006D440000-0x000000006D450000-memory.dmp

Filesize
64KB

Download
memory/2464-26387-0x000000006D450000-0x000000006D460000-memory.dmp

Filesize
64KB

Download
memory/2464-26414-0x0000000003690000-0x00000000036B5000-memory.dmp

Filesize
148KB

Download
memory/2464-26434-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2464-13298-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/7676-17173-0x0000000075490000-0x0000000075630000-memory.dmp

Filesize
1.6MB

Download
memory/7676-26433-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/7676-13299-0x00000000756F0000-0x0000000075905000-memory.dmp

Filesize
2.1MB

Download
memory/7676-26424-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/7676-26422-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/7676-26420-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/7676-26419-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/7676-19183-0x0000000076900000-0x000000007697A000-memory.dmp

Filesize
488KB

Download
memory/7676-26421-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-39511-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-39512-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-39514-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-39509-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-30309-0x0000000075490000-0x0000000075630000-memory.dmp

Filesize
1.6MB

Download
memory/27928-39510-0x0000000000400000-0x0000000001F8C000-memory.dmp

Filesize
27.5MB

Download
memory/27928-32318-0x0000000076900000-0x000000007697A000-memory.dmp

Filesize
488KB

Download
memory/27928-26435-0x00000000756F0000-0x0000000075905000-memory.dmp

Filesize
2.1MB

Download