gh0strat | a1065afb321ea00ebed112f1cde90fdfc6f51c6e849f3909b13a0f70ec8b5dae

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_50cefa40519163f69d83763282206abe.exe
Size

150KB
MD5

50cefa40519163f69d83763282206abe
SHA1

9c413612d4f19f3c049ab3df61d81a025a7414e5
SHA256

a1065afb321ea00ebed112f1cde90fdfc6f51c6e849f3909b13a0f70ec8b5dae
SHA512

e8fb83ee33793b0406604f7fd166f2fc11156495fa9102ed7db5bffae370867477b168091a7d59a5a8c6323f63d0901abb3c00a31c839e689f7febed4d448bae
SSDEEP

3072:gwFLv/9SNIItxH6As+4d5lp8ZIGOYjlh9X1xcIMxArGrW2+8YVp3pD1KYZ:HFLv/9SNIAxH6A743Y9RAxoFXJ51D

Score

10^/10

gh0strat defense_evasion discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2240-16-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	CE28.tmp
1784	inlF47E.tmp

Loads dropped DLL 3 IoCs

pid	Process
2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe
2808	cmd.exe
2808	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	CE28.tmp
File created	C:\Program Files\Common Files\lanmao.dll	CE28.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF6DD.tmp	msiexec.exe
File created	C:\Windows\Installer\f76f57b.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\f76f579.ipi	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	CE28.tmp
File created	C:\Windows\Installer\f76f576.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f576.msi	msiexec.exe
File created	C:\Windows\Installer\f76f579.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_50cefa40519163f69d83763282206abe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CE28.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlF47E.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe
2892	msiexec.exe
2892	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2744	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeCreateTokenPrivilege	2744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2744	msiexec.exe
Token: SeLockMemoryPrivilege	2744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2744	msiexec.exe
Token: SeMachineAccountPrivilege	2744	msiexec.exe
Token: SeTcbPrivilege	2744	msiexec.exe
Token: SeSecurityPrivilege	2744	msiexec.exe
Token: SeTakeOwnershipPrivilege	2744	msiexec.exe
Token: SeLoadDriverPrivilege	2744	msiexec.exe
Token: SeSystemProfilePrivilege	2744	msiexec.exe
Token: SeSystemtimePrivilege	2744	msiexec.exe
Token: SeProfSingleProcessPrivilege	2744	msiexec.exe
Token: SeIncBasePriorityPrivilege	2744	msiexec.exe
Token: SeCreatePagefilePrivilege	2744	msiexec.exe
Token: SeCreatePermanentPrivilege	2744	msiexec.exe
Token: SeBackupPrivilege	2744	msiexec.exe
Token: SeRestorePrivilege	2744	msiexec.exe
Token: SeShutdownPrivilege	2744	msiexec.exe
Token: SeDebugPrivilege	2744	msiexec.exe
Token: SeAuditPrivilege	2744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2744	msiexec.exe
Token: SeChangeNotifyPrivilege	2744	msiexec.exe
Token: SeRemoteShutdownPrivilege	2744	msiexec.exe
Token: SeUndockPrivilege	2744	msiexec.exe
Token: SeSyncAgentPrivilege	2744	msiexec.exe
Token: SeEnableDelegationPrivilege	2744	msiexec.exe
Token: SeManageVolumePrivilege	2744	msiexec.exe
Token: SeImpersonatePrivilege	2744	msiexec.exe
Token: SeCreateGlobalPrivilege	2744	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2240	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	31
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2744	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	32
PID 2060 wrote to memory of 2808	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	35
PID 2060 wrote to memory of 2808	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	35
PID 2060 wrote to memory of 2808	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	35
PID 2060 wrote to memory of 2808	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	35
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2892 wrote to memory of 2752	2892	msiexec.exe	34
PID 2060 wrote to memory of 2688	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	37
PID 2060 wrote to memory of 2688	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	37
PID 2060 wrote to memory of 2688	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	37
PID 2060 wrote to memory of 2688	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	37
PID 2060 wrote to memory of 2660	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	39
PID 2060 wrote to memory of 2660	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	39
PID 2060 wrote to memory of 2660	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	39
PID 2060 wrote to memory of 2660	2060	JaffaCakes118_50cefa40519163f69d83763282206abe.exe	39
PID 2688 wrote to memory of 2004	2688	cmd.exe	41
PID 2688 wrote to memory of 2004	2688	cmd.exe	41
PID 2688 wrote to memory of 2004	2688	cmd.exe	41
PID 2688 wrote to memory of 2004	2688	cmd.exe	41
PID 2808 wrote to memory of 1784	2808	cmd.exe	42
PID 2808 wrote to memory of 1784	2808	cmd.exe	42
PID 2808 wrote to memory of 1784	2808	cmd.exe	42
PID 2808 wrote to memory of 1784	2808	cmd.exe	42
PID 1784 wrote to memory of 1368	1784	inlF47E.tmp	44
PID 1784 wrote to memory of 1368	1784	inlF47E.tmp	44
PID 1784 wrote to memory of 1368	1784	inlF47E.tmp	44
PID 1784 wrote to memory of 1368	1784	inlF47E.tmp	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cefa40519163f69d83763282206abe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cefa40519163f69d83763282206abe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\CE28.tmp
  C:\Users\Admin\AppData\Roaming\CE28.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSF0F~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\inlF47E.tmp
    C:\Users\Admin\AppData\Local\Temp\inlF47E.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlF47E.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DB5E52F1290EDCDC8585DE056E8981
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f57a.rbs

Filesize
7KB

MD5
314a4ceead1ba7299b43a44639873648

SHA1
e42a3046aeedcab099147a205cd77a5fa6a51726

SHA256
e3ce3090f125d493b1ab0ac1a4c2fc44e742dcd416baf31f1f54370000ebc3ff

SHA512
236a6600bca70e592473ff542cdb0f6580f1df77486734fe8fd47288773af08e31893ea50af5fc3ac802f54082e7e5bb51c192dad9271d17a9e6e82d0a1045e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSF0F~1.INI

Filesize
66KB

MD5
d5beec465bc8fbbc24b1bd74d9fc668f

SHA1
36362a7cd107114535ab228ff8c2c13a8ca1e591

SHA256
1491ac5a9c94ce040998af8c1ae350ae7bcc2a14c3e784ffd65ff15abc9d65b6

SHA512
8bc666ff3aad1c88ff7a6f0f761f4f9631314cd2653ece3214e32f21d74b80184953de61125c6178902c0f8ef2c6918dfe5861e8ee8814225aaf10512f134cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
d20b36f99fe6a604ec4993b6fae0d86e

SHA1
ee259f5fdec4a2fc89744e1714972b8ae4070992

SHA256
f0a82cb4c70286a4686ad5cab9d5aeb5ce2314665cbefe3c1887b308743b62c4

SHA512
35317f6bd79805fd0b36c1b0792cb98a377ee282ba8fe11503e4b6f8c3618421add929100b21a604ebb087262ed8a7a2127aacda58b83076afaa2b7d86d4f447

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1784-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2060-19-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/2060-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-17-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2060-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-8-0x00000000003A0000-0x00000000003D0000-memory.dmp

Filesize
192KB

Download
memory/2060-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2240-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2240-12-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download