gh0strat | 5c3ed14be5546228e67b3a6e06c3a19c1eeef3e7671367ebe0ac2ba75a5f7a2e

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Size

150KB
MD5

3c167a7c59626593b133881dd2998d3e
SHA1

6964a04368af1cceae5c78029128cadbc6dea538
SHA256

5c3ed14be5546228e67b3a6e06c3a19c1eeef3e7671367ebe0ac2ba75a5f7a2e
SHA512

38f65fef1e186f0d415153b25980849da9605b5952468c2468592efa23fec7df9d95c1312f9a1096ed009b2c01ec0ec14e7fbaa5600b102f8fba1a105b9ba952
SSDEEP

3072:tlxAxiiAYXRJ1cbuR3m8KoNVzbqQ+yaKf4baDJws3wDJ:tePXD1zQuNV1+yiJ

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1076-16-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1076	B51C.tmp
2584	inlD3C5.tmp

Loads dropped DLL 3 IoCs

pid	Process
2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
2708	cmd.exe
2708	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\lanmao.dll	B51C.tmp
File created	C:\Program Files\Common Files\loader.dll	B51C.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\f76d472.ipi	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	B51C.tmp
File created	C:\Windows\Installer\f76d46f.msi	msiexec.exe
File created	C:\Windows\Installer\f76d472.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d46f.msi	msiexec.exe
File created	C:\Windows\Installer\f76d474.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B51C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlD3C5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
2164	msiexec.exe
2164	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: SeCreateTokenPrivilege	1520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1520	msiexec.exe
Token: SeLockMemoryPrivilege	1520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1520	msiexec.exe
Token: SeMachineAccountPrivilege	1520	msiexec.exe
Token: SeTcbPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: SeTakeOwnershipPrivilege	1520	msiexec.exe
Token: SeLoadDriverPrivilege	1520	msiexec.exe
Token: SeSystemProfilePrivilege	1520	msiexec.exe
Token: SeSystemtimePrivilege	1520	msiexec.exe
Token: SeProfSingleProcessPrivilege	1520	msiexec.exe
Token: SeIncBasePriorityPrivilege	1520	msiexec.exe
Token: SeCreatePagefilePrivilege	1520	msiexec.exe
Token: SeCreatePermanentPrivilege	1520	msiexec.exe
Token: SeBackupPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	1520	msiexec.exe
Token: SeShutdownPrivilege	1520	msiexec.exe
Token: SeDebugPrivilege	1520	msiexec.exe
Token: SeAuditPrivilege	1520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1520	msiexec.exe
Token: SeChangeNotifyPrivilege	1520	msiexec.exe
Token: SeRemoteShutdownPrivilege	1520	msiexec.exe
Token: SeUndockPrivilege	1520	msiexec.exe
Token: SeSyncAgentPrivilege	1520	msiexec.exe
Token: SeEnableDelegationPrivilege	1520	msiexec.exe
Token: SeManageVolumePrivilege	1520	msiexec.exe
Token: SeImpersonatePrivilege	1520	msiexec.exe
Token: SeCreateGlobalPrivilege	1520	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1076	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	30
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 1520	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	32
PID 2504 wrote to memory of 2708	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	34
PID 2504 wrote to memory of 2708	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	34
PID 2504 wrote to memory of 2708	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	34
PID 2504 wrote to memory of 2708	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	34
PID 2504 wrote to memory of 2876	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	36
PID 2504 wrote to memory of 2876	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	36
PID 2504 wrote to memory of 2876	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	36
PID 2504 wrote to memory of 2876	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	36
PID 2504 wrote to memory of 2888	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	38
PID 2504 wrote to memory of 2888	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	38
PID 2504 wrote to memory of 2888	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	38
PID 2504 wrote to memory of 2888	2504	JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe	38
PID 2876 wrote to memory of 2692	2876	cmd.exe	40
PID 2876 wrote to memory of 2692	2876	cmd.exe	40
PID 2876 wrote to memory of 2692	2876	cmd.exe	40
PID 2876 wrote to memory of 2692	2876	cmd.exe	40
PID 2708 wrote to memory of 2584	2708	cmd.exe	41
PID 2708 wrote to memory of 2584	2708	cmd.exe	41
PID 2708 wrote to memory of 2584	2708	cmd.exe	41
PID 2708 wrote to memory of 2584	2708	cmd.exe	41
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2164 wrote to memory of 1684	2164	msiexec.exe	42
PID 2584 wrote to memory of 1072	2584	inlD3C5.tmp	44
PID 2584 wrote to memory of 1072	2584	inlD3C5.tmp	44
PID 2584 wrote to memory of 1072	2584	inlD3C5.tmp	44
PID 2584 wrote to memory of 1072	2584	inlD3C5.tmp	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c167a7c59626593b133881dd2998d3e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Roaming\B51C.tmp
  C:\Users\Admin\AppData\Roaming\B51C.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSD0F~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\inlD3C5.tmp
    C:\Users\Admin\AppData\Local\Temp\inlD3C5.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD3C5.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7A781C0B620DA57BB8C815C9E71D4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d473.rbs

Filesize
7KB

MD5
a6e81519d1006950f087cde616f4ed3e

SHA1
13155255708e9b52b1b05ad99b51a248b921677a

SHA256
303ba200f41d3353c9f14ba1cc90204675287013931b066a79c3c44c08f811c9

SHA512
79f0c8356c8ecd443da6f0a7fbc98f29487e237248b330a440874ec0c80472db6fc8b232eb9050f23ba23950a6876acfe0bb3c334e2ba89037731030f24e6a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSD0F~1.INI

Filesize
66KB

MD5
1a5431ea2612ba66743f5e196ff9d95e

SHA1
812517ad2cf8d109e38de2c9ce663d7b64b471a7

SHA256
d0ca65eeb366710d754c51e5a77a6f96babcb0541574d255be8fb6dfda0ab805

SHA512
764a0474dfa0b24baf24ce5afb20137a48a5c83ef420fc0ccd5a5beadb0d441ea55184ed82f68404c67335392e33d1a85c17048ad2bace22b0c655b823d548bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
931a60e4148c3ecdd475aaa9e94057e2

SHA1
8a87bcf868788f7e3fb5ccfa8aa3e9df8d04bfd2

SHA256
2ce4ae7d5e3ed30ebe832e6977181bc3baf0004b0610154c2182c59431bfcd23

SHA512
be9ae486bfaf3ac0741bfedfc06ff938ee8032704d9e81953dc6f67ce9f402f1ed92d8ab39a77f3a54bcb8a1131c2a0e14ff96092a13b900db7633e8fab0f54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1076-12-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1076-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2504-19-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2504-17-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2504-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-8-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/2504-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2584-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download