gh0strat | d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpsupdate .msi
Size

18.0MB
MD5

a73709d320e1160a965987bd3298b0bc
SHA1

2b1942cad548a048f62eb643573baf671696c5ea
SHA256

d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c
SHA512

78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686
SSDEEP

393216:0vd1NDtHWaIhF5AfrpW4+SRxqwIxgFU1elj6iY9Q4mG3WX0X9Jnbx:0fWaIFaFWdqjle1xB99kC/nbx

Score

10^/10

gh0strat purplefox bootkit discovery persistence rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1476-74-0x000000002C130000-0x000000002C2EB000-memory.dmp	purplefox_rootkit
behavioral2/memory/1476-76-0x000000002C130000-0x000000002C2EB000-memory.dmp	purplefox_rootkit
behavioral2/memory/1476-92-0x000000002C130000-0x000000002C2EB000-memory.dmp	purplefox_rootkit
behavioral2/memory/1476-94-0x000000002C130000-0x000000002C2EB000-memory.dmp	purplefox_rootkit
behavioral2/memory/1476-96-0x000000002C130000-0x000000002C2EB000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/1476-74-0x000000002C130000-0x000000002C2EB000-memory.dmp	family_gh0strat
behavioral2/memory/1476-76-0x000000002C130000-0x000000002C2EB000-memory.dmp	family_gh0strat
behavioral2/memory/1476-92-0x000000002C130000-0x000000002C2EB000-memory.dmp	family_gh0strat
behavioral2/memory/1476-94-0x000000002C130000-0x000000002C2EB000-memory.dmp	family_gh0strat
behavioral2/memory/1476-96-0x000000002C130000-0x000000002C2EB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	TpuaDVwAtO28.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	TpuaDVwAtO28.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	TpuaDVwAtO28.exe
File opened (read-only)	\??\J:	TpuaDVwAtO28.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	TpuaDVwAtO28.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	TpuaDVwAtO28.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	TpuaDVwAtO28.exe
File opened (read-only)	\??\V:	TpuaDVwAtO28.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	TpuaDVwAtO28.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	TpuaDVwAtO28.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	TpuaDVwAtO28.exe
File opened (read-only)	\??\U:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Z:	TpuaDVwAtO28.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	TpuaDVwAtO28.exe
File opened (read-only)	\??\K:	TpuaDVwAtO28.exe
File opened (read-only)	\??\S:	TpuaDVwAtO28.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	TpuaDVwAtO28.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	TpuaDVwAtO28.exe
File opened (read-only)	\??\M:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Y:	TpuaDVwAtO28.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wpsupdate.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe	msiexec.exe
File created	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log	YoctSidXXbav.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log	YoctSidXXbav.exe
File created	C:\Program Files\OrganizeSupporterNimble\node.dll	msiexec.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log	YoctSidXXbav.exe
File created	C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe	msiexec.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe	YElwbdcCOAiT.exe
File created	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble	TpuaDVwAtO28.exe
File created	C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR	msiexec.exe
File created	C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe	YElwbdcCOAiT.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57eea6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57eea6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{39A92A4F-ABC4-47A7-9E7F-64CBCFFA18BB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF80.tmp	msiexec.exe
File created	C:\Windows\Installer\e57eea8.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
3468	YElwbdcCOAiT.exe
4968	TpuaDVwAtO28.exe
3080	wpsupdate.exe
1180	YoctSidXXbav.exe
1540	YoctSidXXbav.exe
1028	YoctSidXXbav.exe
2032	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YElwbdcCOAiT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TpuaDVwAtO28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TpuaDVwAtO28.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "392ca03c1f08b912a65a0eaad5819382"	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "20"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00320030007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00430036002d00330044002d00350035002d00370039002d00460039002d00420032000000	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wpsupdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	TpuaDVwAtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "392ca03c1f08b912a65a0eaad5819382"	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	TpuaDVwAtO28.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	TpuaDVwAtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "20"	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty\|2024-9-20"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56\|f71bea7efb0790e717045d6aa6e666ed"	wpsupdate.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\PackageCode = "CEA73F1C5C6787349AB3A11C771E1A2B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Version = "17039361"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\PackageName = "wpsupdate .msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F4A29A934CBA7A74E9F746BCFCAF81BB\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\91E4850C13A5A9040811EA7CEA18D148	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\ProductName = "OrganizeSupporterNimble"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\91E4850C13A5A9040811EA7CEA18D148\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	msiexec.exe
4088	msiexec.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
4968	TpuaDVwAtO28.exe
4968	TpuaDVwAtO28.exe
1028	YoctSidXXbav.exe
1028	YoctSidXXbav.exe
2032	TpuaDVwAtO28.exe
2032	TpuaDVwAtO28.exe
2032	TpuaDVwAtO28.exe
2032	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe
1476	TpuaDVwAtO28.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3620	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeCreateTokenPrivilege	3620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3620	msiexec.exe
Token: SeLockMemoryPrivilege	3620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3620	msiexec.exe
Token: SeMachineAccountPrivilege	3620	msiexec.exe
Token: SeTcbPrivilege	3620	msiexec.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeLoadDriverPrivilege	3620	msiexec.exe
Token: SeSystemProfilePrivilege	3620	msiexec.exe
Token: SeSystemtimePrivilege	3620	msiexec.exe
Token: SeProfSingleProcessPrivilege	3620	msiexec.exe
Token: SeIncBasePriorityPrivilege	3620	msiexec.exe
Token: SeCreatePagefilePrivilege	3620	msiexec.exe
Token: SeCreatePermanentPrivilege	3620	msiexec.exe
Token: SeBackupPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeShutdownPrivilege	3620	msiexec.exe
Token: SeDebugPrivilege	3620	msiexec.exe
Token: SeAuditPrivilege	3620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3620	msiexec.exe
Token: SeChangeNotifyPrivilege	3620	msiexec.exe
Token: SeRemoteShutdownPrivilege	3620	msiexec.exe
Token: SeUndockPrivilege	3620	msiexec.exe
Token: SeSyncAgentPrivilege	3620	msiexec.exe
Token: SeEnableDelegationPrivilege	3620	msiexec.exe
Token: SeManageVolumePrivilege	3620	msiexec.exe
Token: SeImpersonatePrivilege	3620	msiexec.exe
Token: SeCreateGlobalPrivilege	3620	msiexec.exe
Token: SeBackupPrivilege	4200	vssvc.exe
Token: SeRestorePrivilege	4200	vssvc.exe
Token: SeAuditPrivilege	4200	vssvc.exe
Token: SeBackupPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeBackupPrivilege	3756	srtasks.exe
Token: SeRestorePrivilege	3756	srtasks.exe
Token: SeSecurityPrivilege	3756	srtasks.exe
Token: SeTakeOwnershipPrivilege	3756	srtasks.exe
Token: SeBackupPrivilege	3756	srtasks.exe
Token: SeRestorePrivilege	3756	srtasks.exe
Token: SeSecurityPrivilege	3756	srtasks.exe
Token: SeTakeOwnershipPrivilege	3756	srtasks.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe
Token: SeTakeOwnershipPrivilege	4088	msiexec.exe
Token: SeRestorePrivilege	4088	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3620	msiexec.exe
3620	msiexec.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe
3080	wpsupdate.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3756	4088	msiexec.exe	95
PID 4088 wrote to memory of 3756	4088	msiexec.exe	95
PID 4088 wrote to memory of 4632	4088	msiexec.exe	97
PID 4088 wrote to memory of 4632	4088	msiexec.exe	97
PID 4088 wrote to memory of 4632	4088	msiexec.exe	97
PID 4632 wrote to memory of 3468	4632	MsiExec.exe	98
PID 4632 wrote to memory of 3468	4632	MsiExec.exe	98
PID 4632 wrote to memory of 3468	4632	MsiExec.exe	98
PID 4632 wrote to memory of 4968	4632	MsiExec.exe	100
PID 4632 wrote to memory of 4968	4632	MsiExec.exe	100
PID 4632 wrote to memory of 4968	4632	MsiExec.exe	100
PID 4632 wrote to memory of 3080	4632	MsiExec.exe	101
PID 4632 wrote to memory of 3080	4632	MsiExec.exe	101
PID 4632 wrote to memory of 3080	4632	MsiExec.exe	101
PID 1028 wrote to memory of 2032	1028	YoctSidXXbav.exe	107
PID 1028 wrote to memory of 2032	1028	YoctSidXXbav.exe	107
PID 1028 wrote to memory of 2032	1028	YoctSidXXbav.exe	107
PID 2032 wrote to memory of 1476	2032	TpuaDVwAtO28.exe	108
PID 2032 wrote to memory of 1476	2032	TpuaDVwAtO28.exe	108
PID 2032 wrote to memory of 1476	2032	TpuaDVwAtO28.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\wpsupdate .msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C252025A6AB4A77AE9600E0DFA9857E8 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe
    "C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe" x "C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR" -o"C:\Program Files\OrganizeSupporterNimble\" -ptLyXGitilIeFgXMurmJK -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
    "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 143 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
- - C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe
    "C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
"C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1180

C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
"C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1540

C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
"C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
  "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 174 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
    "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57eea7.rbs

Filesize
7KB

MD5
5dd6a41a74da877eb76656c14a2746e7

SHA1
b1096adac1b476787a839c37f9f1ff0508cddd8a

SHA256
fd4981a50ddfd10b2e2a1e781d0ac4120985d6c5f912e2a17088d93ded1daab0

SHA512
93d6fb040826b493cb1f34c6d95e97939b612a945c222f5a3e33e99c1ea9d4b090fb902a534997bd1a5fe88a0aaf0ed99a7233c4e52ec0082bbb2dc44fc949ae

Download Submit
C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe

Filesize
3.1MB

MD5
cab83f4897ba305ccf1b3811d0d46b46

SHA1
f9b0a859ccfd545ca4794d2e37f0fe92e7469c88

SHA256
45265ec03d03272fbda8eca896bdc2f72f8ac0ab862d41f7a97cd823525c0a9c

SHA512
e018957a52075c203d48a59b2e049ed0d6980fefe467bd1b49bdd2a9b7aa5efb2d0d84a2b9e24f9b3ce680d424da137a2a7c3bc14f060960fba4cfbd900431ac

Download Submit
C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log

Filesize
270B

MD5
e7ea15ae87a9c79e0cf9fac288713ccf

SHA1
9f395682a7dff829ee3eb22bc512fddc4126bdd8

SHA256
13dc04e409601893825f09001a8dba9a0710a8d0c3f3eeb27f84c8ae2f54e4a3

SHA512
36a9b6a7f66fb63f983c85aa8de43cc3addfd05ef61ef6a0a132a1c05b6c1a7ba65bd31c62011f287e8a6bc3937d658a7fe2b467ec064e084dd3bedcb23974cb

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log

Filesize
428B

MD5
b6141e3187b9171d5fb7dc8b5d434a14

SHA1
ba9f6054f7357fac82b7219cd1028e272b743485

SHA256
06d27082ce2753fbfa677c9474a341336b0619606375f69655672c0facec6c8c

SHA512
0deca6c4370ee2c693807a36d77cec21ebe08612c20e68eba1f8606f083916d66b8d96222cf5e7e621bb378045caef283dfc927c9bb120f383e65e55146d75b9

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log

Filesize
596B

MD5
245d77dcb6dc035274ad6e351b9d914c

SHA1
cbccda24e4ba544d7caa6e4a41df1efff76dc58f

SHA256
3def549782a55e608f81ad867ecd88b01847f9e0ebb5a7e75a72a16c3f6185b2

SHA512
0d7032f3e767e0ce6c1943036d08937a4fba6159e027a907c4d5911113ec42a2443aedc1b3a125b9993405a6342532f31188fae1e42173459c334a0d1dfeb1cb

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log

Filesize
744B

MD5
e4ffaa099922ce2c56edad4ae8e267bf

SHA1
02eb527072d00235624b6c7a76201b4fd791e7a7

SHA256
941a3b9391263d4ffa5924b294df6c77cea51233f23e229380df4373b2f5916f

SHA512
7ff457c32c23b25cb133cb368e42eb515dd65b159a20f651571018989b11697db07513f539747f59121d1d26e801184d4abdc99ce1e594f4a64948affd495a19

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml

Filesize
445B

MD5
92abd924fa27bb08e129a8bb0ac23fee

SHA1
fdb569c5d01e64f7c5a786d57511c0853d196aa6

SHA256
7ccf598d801e67c722bcdb422c1abeb6278c0293964c13b49df9cf8ac240490c

SHA512
1ae6b8d8f61c8db656ad231d94a429bddb63aa5228fb0b1003b3dc878fd66a7ce90792cfab64f3cd24c9e3951d13174fa28a82c179c8123ab4c3e01c1cffe653

Download Submit
C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR

Filesize
1.9MB

MD5
b40f2629f6045761ca8acf21ec4341e7

SHA1
082326d152d2d13a5981ad9f4c3cf7906ec842bc

SHA256
2699edad6ae5d99914c94f54075ff20ffce1a6f13e83d4f2e807f614466fd28f

SHA512
d70d54d21bd4eb69a9748ca48f246dac236d06996da792818d188ae3a55a2f060a6fbb4421e27fdcf8aa7fd37f60951ef073d79fee1be6bac90d7e4d89dcdacc

Download Submit
C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe

Filesize
6.0MB

MD5
57dadd6a929f64c2b1efe2d52c1c4985

SHA1
962cb227f81f885f23826c3e040aa9dbc97659cf

SHA256
996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

SHA512
3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YoctSidXXbav.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_20.log

Filesize
2KB

MD5
7fcd33c971f5b64a2b1a2fec152b5f39

SHA1
8f8bce7a920516c829b5e999fd9416cb359ac8e0

SHA256
9abe530783c25e87a8f0d5183e144fd1d033c52e08d2239589277c16974e0afe

SHA512
cc940ee35bfef40d755314a524f1ee430496d6cb0c09cc1c813fdf62a27d06e7199696d23b74547901034e1bdc8ae506142bdccd743a757f4e99a12bf748afa0

Download Submit
C:\Windows\Installer\e57eea6.msi

Filesize
18.0MB

MD5
a73709d320e1160a965987bd3298b0bc

SHA1
2b1942cad548a048f62eb643573baf671696c5ea

SHA256
d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

SHA512
78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
ab934b6af21ca6261ee1ad8c09cc40ed

SHA1
44581cccc6fb3bf28a5ef9cba72d84b9564b098e

SHA256
8d30260d99eaf79b0bb772c7ee0fa21a04f57a8c9917b7dd674ec8745cf16185

SHA512
cb322c018bd69c6267ea83efe670b58d12eef8e949233a221f39f27fc0b5afa5a5b4cb8e2d7ab6749edc0f28dc599e00daf7eb72cc5deab1daa61fffaa147e97

Download Submit
\??\Volume{f1c94fa5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{77344e16-37ca-45cd-868b-487f15cad1d8}_OnDiskSnapshotProp

Filesize
6KB

MD5
ced68b05020a501fe5ad0e2beb29175a

SHA1
60892682bb28671f6360b2163d1bfe8af7bd6f08

SHA256
820e30454e2db2ddf72ecd696d1587f484f2d103fb8bdcdcd00e0dbb36e84df0

SHA512
8d361959519be15a26ab78e5e78dd3227d46f11e129e97f37486cb24f103e77f82676840f42433104e21772c4ed136293daf929a66cdf211345532775d8f7aa1

Download Submit
memory/1180-46-0x0000000000840000-0x0000000000916000-memory.dmp

Filesize
856KB

Download
memory/1476-74-0x000000002C130000-0x000000002C2EB000-memory.dmp

Filesize
1.7MB

Download
memory/1476-76-0x000000002C130000-0x000000002C2EB000-memory.dmp

Filesize
1.7MB

Download
memory/1476-92-0x000000002C130000-0x000000002C2EB000-memory.dmp

Filesize
1.7MB

Download
memory/1476-94-0x000000002C130000-0x000000002C2EB000-memory.dmp

Filesize
1.7MB

Download
memory/1476-96-0x000000002C130000-0x000000002C2EB000-memory.dmp

Filesize
1.7MB

Download
memory/4968-39-0x0000000009BD0000-0x0000000009BFA000-memory.dmp

Filesize
168KB

Download