gh0strat | 722bad8d9fdc2fb40273177925a5ce9bde0ae194642134a4097893318bfee51b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
Size

150KB
MD5

4c79f3ef767af60499725b3e907eb4dc
SHA1

7d8c14773afe9a457edd728fad01ee377390cd06
SHA256

722bad8d9fdc2fb40273177925a5ce9bde0ae194642134a4097893318bfee51b
SHA512

43d73c0fcaf5705f5c1c65b400d0b293a1e89c62eadf27aa355b17bf6b98c3319533ff75ccf64204f4c7dd19760e7d1f643bf2a6a25ab60ebe5fb15f9b6892ed
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZ/:dkt0TSZkhWVvI+UupZTr5iSVrLmcq

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2488-17-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
648	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	ind18CE.tmp
2280	inl393B.tmp

Loads dropped DLL 3 IoCs

pid	Process
2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
2936	cmd.exe
2936	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	ind18CE.tmp
File created	C:\Program Files\Common Files\lanmao.dll	ind18CE.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7739f7.ipi	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	ind18CE.tmp
File created	C:\Windows\Installer\f7739f4.msi	msiexec.exe
File created	C:\Windows\Installer\f7739f7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Installer\f7739f9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7739f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl393B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ind18CE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
2848	msiexec.exe
2848	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeSecurityPrivilege	2848	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeIncBasePriorityPrivilege	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 2488	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	30
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 1708	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	31
PID 2128 wrote to memory of 2936	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	33
PID 2128 wrote to memory of 2936	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	33
PID 2128 wrote to memory of 2936	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	33
PID 2128 wrote to memory of 2936	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	33
PID 2128 wrote to memory of 2888	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	34
PID 2128 wrote to memory of 2888	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	34
PID 2128 wrote to memory of 2888	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	34
PID 2128 wrote to memory of 2888	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	34
PID 2128 wrote to memory of 648	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	37
PID 2128 wrote to memory of 648	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	37
PID 2128 wrote to memory of 648	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	37
PID 2128 wrote to memory of 648	2128	JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe	37
PID 2888 wrote to memory of 1668	2888	cmd.exe	39
PID 2888 wrote to memory of 1668	2888	cmd.exe	39
PID 2888 wrote to memory of 1668	2888	cmd.exe	39
PID 2888 wrote to memory of 1668	2888	cmd.exe	39
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2848 wrote to memory of 892	2848	msiexec.exe	40
PID 2936 wrote to memory of 2280	2936	cmd.exe	41
PID 2936 wrote to memory of 2280	2936	cmd.exe	41
PID 2936 wrote to memory of 2280	2936	cmd.exe	41
PID 2936 wrote to memory of 2280	2936	cmd.exe	41
PID 2280 wrote to memory of 1800	2280	inl393B.tmp	43
PID 2280 wrote to memory of 1800	2280	inl393B.tmp	43
PID 2280 wrote to memory of 1800	2280	inl393B.tmp	43
PID 2280 wrote to memory of 1800	2280	inl393B.tmp	43

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c79f3ef767af60499725b3e907eb4dc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\ind18CE.tmp
  C:\Users\Admin\AppData\Local\Temp\ind18CE.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS365~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\inl393B.tmp
    C:\Users\Admin\AppData\Local\Temp\inl393B.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl393B.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58581742738BC24AEDF71DC2976B2C0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7739f8.rbs

Filesize
7KB

MD5
e74ae0b9b0382464f7597afaaee0da67

SHA1
537983fd83582a2c600abeb9004b3906e6fc739a

SHA256
e5e085dde4db69657bb8f68e9a96b0de683f1d0722df2e9b93c9fc62e82a15cc

SHA512
9d11a29114ddf37004009aebd6edb86ab92bf8e8a718ca635185be21ecdae3f287d8687c907f31e7adbb5d10db40197ad534495e5ac0840a0a8d2386a8ef89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS365~1.INI

Filesize
66KB

MD5
d9b1b35151fb1469a7b0e298cab7dabc

SHA1
1776739fb99a8c9f877c46ee232d26ee37ff17a9

SHA256
11a4a9f8b2b4c6df9ce432669aa81392c617b2ed2c45b1fd40f99837cad35d66

SHA512
22eb47b772ddc4977feef1952bab9039f99d4d25cd4fe118059ffe536e74705cad352fd395c2d0329408a8e04652c5cf82e5e2a26c7adabf76b7da87548ec402

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
35f65b8cb98daee49ad2ce010afc0a32

SHA1
89c145fd9198ca59e1922a9c3298bf9e9eb9310b

SHA256
1b3dd0c7b76ada2e6e57552ad24ba1ba04bf98ea8fc5ef676a1090a22f9651cb

SHA512
0fc2b785f482d753871086a595ea29ef0b2da5fbab98c0d4dcc2bfcc39726c6a04eae4c633a34270722ccdbc112bcfdfb8d02fd635076132717be4fcb7e155ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/2128-19-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2128-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-10-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/2128-2-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2280-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-13-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2488-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download