Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 08:40

General

  • Target

    4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

  • Size

    27.1MB

  • MD5

    756b1b81669fb5b5d745c83ced428cb1

  • SHA1

    c573e1f1d32780c808db53e5fd5e571d617816e6

  • SHA256

    4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

  • SHA512

    d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

  • SSDEEP

    786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 9 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3012
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4904
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 7D9ED90F3DC65945FB3AAEF6E8A6DB6D E Global\MSI0000
        2⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4984
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
            "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3108
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3564
          • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
            "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
        • C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
          "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2280
        • C:\Program Files\CPUAimLinux\WhatsApp1.exe
          "C:\Program Files\CPUAimLinux\WhatsApp1.exe"
          3⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:3724
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
          3⤵
          • Kills process with taskkill
          PID:3828
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"
      1⤵
      • Modifies data under HKEY_USERS
      PID:2640
    • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
      "C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:4772
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4284
    • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
      "C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:4796
    • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
      "C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
        "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 205 -file file3 -mode mode3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
          "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:4748
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
        PID:1380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57d09f.rbs

        Filesize

        7KB

        MD5

        e4c4c274a0ff1d144ecf1dc3c7001e4f

        SHA1

        e75ca40843ed749087d76cdd66bc707ca8e77c77

        SHA256

        60f03988a2749d380ac973f5ed7bb7746d0759ba2e2e1cb04edc90b8cb5aecf2

        SHA512

        62955054e5375c070a08ff4163e21ede0741767deba368d5c9e61ab992361a2475347166ae09f98d169aa15abc30b2fe69f878148eabdedfd04d99155145d001

      • C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

        Filesize

        3.1MB

        MD5

        db6688b70f3255877e15541970145e68

        SHA1

        5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd

        SHA256

        208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb

        SHA512

        72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

        Filesize

        832KB

        MD5

        d305d506c0095df8af223ac7d91ca327

        SHA1

        679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

        SHA256

        923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

        SHA512

        94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

        Filesize

        280B

        MD5

        de37d8032bcea161604a9de6bbee3477

        SHA1

        d962dccc00cbbaf848aeb8197e86f787d4322013

        SHA256

        58dfd3758318d10d9b5a52b877daa86858648cdd01c99376da0c22e22b84fa26

        SHA512

        38344da2759b1f803037141213b5df85d76c12e9ed06e7d7bfba79b27fe723aa907b42491d32c56598273dd4e03bca8d381a4dbccf9df7dee2e23192860b900f

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

        Filesize

        443B

        MD5

        fb3ef75180954b67f6fbc4b6b6ed9260

        SHA1

        df2207ea37ef13f5e0d8e027a108093ecb788fd6

        SHA256

        bed2d253e0c1f8145088d3808f5bbff3b2e3d872f2554ce3f8bfbc1776f6b2e7

        SHA512

        8f274155005a78a41c07ec58904d5343ad5d9e3dae72c1fa472cb2d5e6b79b760fcebf8a4886b673fca5ee119f8c047985f9548a0ebd34bea759245eba942a2c

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

        Filesize

        616B

        MD5

        f866929182df5ea714ccd43666471aff

        SHA1

        a078b42313157f53f915f138cd96360591f86d76

        SHA256

        e5bc1fae7e2403d337cc8944c54ca0c56bbd08a50c81a74521dd0a74061ae0f6

        SHA512

        0029a2d6fb476667c0ae5350f1f8144baa35bd97bca64920ebad7c591ad3c3dc7ce4c8e5bdc5514499412d3fc9d5e01f583c2c142fa6c0ee694ccbd835cbb3ed

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

        Filesize

        803B

        MD5

        e8b08d71a300c9aa199dc9f8951d7565

        SHA1

        6da50e2881ba3b0921174cc0fc34e8946e06bc5d

        SHA256

        fa0b1076bba423508a720138379c6c390bf6d073475aa3bfc5b15d6318f6acb9

        SHA512

        a43051a675ec8574518c971b8f7937cfa6a38ddce3013fc43f7238f280b15cad9873302dedea1aec442b964bcaae219ed63f0e9b54c2ea4e50161a3fed70bec8

      • C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml

        Filesize

        425B

        MD5

        822ca0d7e00ebb7b990ddea17a3a634d

        SHA1

        2a915168df2a2ee8ddfc1f31454c3055d9e1da93

        SHA256

        d48912dbd6aa6c11fb5e7b4a525018e0981aff798dd9e6fe429c32989101c4bb

        SHA512

        cfddae00c0b91d5547413e80f801128e838b2888f6cbebed5506f613ff18dfc59b5e34b86bfeb0b3244675e583359395f211392c5532fad5f9c3b39275424d89

      • C:\Program Files\CPUAimLinux\WhatsApp1.exe

        Filesize

        1.0MB

        MD5

        f90ddf18d65bb3153bcdfdc4856ce2a5

        SHA1

        611376391f17207d60ca8c2ec81354933f8dac45

        SHA256

        62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

        SHA512

        f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

      • C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

        Filesize

        2.4MB

        MD5

        1b772652a5b64c119b00ec06c00311db

        SHA1

        afeb3bfba34eccadce4d2141d6d59707c83e9583

        SHA256

        c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4

        SHA512

        5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

      • C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

        Filesize

        577KB

        MD5

        c31c4b04558396c6fabab64dcf366534

        SHA1

        fa836d92edc577d6a17ded47641ba1938589b09a

        SHA256

        9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

        SHA512

        814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

      • C:\Program Files\CPUAimLinux\hHILqDIvDmMm

        Filesize

        465KB

        MD5

        adb7908cc0c5a2b6800dcc1474006154

        SHA1

        96f081444d4329dbd49eec5003096c2286f8c74e

        SHA256

        9e0c0405ea29b1f3a72a65244c11bb00cacd8ca3a0c212df4f81ac30090a41d0

        SHA512

        69f97d773949a036cca02dfa40db365353975b70dabe2b38e74034882b2857c5002c43e3dc0427d9b13cce50d5451a9452c0682df19905c3efbf7077877b47f0

      • C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs

        Filesize

        2KB

        MD5

        6c1dc3d5a28bb7d9cd6b3727ea453446

        SHA1

        1fef050968fb54a54ec19c3b620d2f19706baac8

        SHA256

        6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a

        SHA512

        08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad

      • C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

        Filesize

        2.4MB

        MD5

        048cee96f68a4c516b3aa1a8a4781e46

        SHA1

        5582bb564630c5ead8704d06bcdb427dd9840de5

        SHA256

        835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293

        SHA512

        2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

      • C:\Users\Admin\AppData\Local\Temp\TmpF666.tmp

        Filesize

        1KB

        MD5

        a10f31fa140f2608ff150125f3687920

        SHA1

        ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

        SHA256

        28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

        SHA512

        cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djjlpnl1.nhd.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Windows\Installer\e57d09e.msi

        Filesize

        27.1MB

        MD5

        756b1b81669fb5b5d745c83ced428cb1

        SHA1

        c573e1f1d32780c808db53e5fd5e571d617816e6

        SHA256

        4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

        SHA512

        d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

      • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log

        Filesize

        1KB

        MD5

        122cf3c4f3452a55a92edee78316e071

        SHA1

        f2caa36d483076c92d17224cf92e260516b3cbbf

        SHA256

        42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

        SHA512

        c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

        Filesize

        24.1MB

        MD5

        cae98054598655c842355d124c89ac75

        SHA1

        d9029f74a1e59f4ab2a91b451939af5e90c8847a

        SHA256

        6abb6f7664d0dae48a29bd48a314eaa143a9a116b298d30f84909fb1c70b0b22

        SHA512

        e701640d594672fc3361b740136e5d35f6aef31b58cec4e391ef82221bd0f36e73a1750009ae65d485965a568df7e76e0f613382590f4ab4bc878bf6413dc7fd

      • \??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ff6b284-bea0-4c92-bc3a-eac8977c8d8e}_OnDiskSnapshotProp

        Filesize

        6KB

        MD5

        6be6670160ce6e9dc98673f4ccc749ad

        SHA1

        d5582c1212bdc96153afd88b803c325d1f44ac37

        SHA256

        b59f18c5293d31d392ba7a62401c80f8f556f1d87d3ce387c4371dd3c1b4ef5c

        SHA512

        bb7d8b0b5a7cb595e4afef31f7e78615e430a833b3af08559bfc5737812359e31098d51fc9350f188d1aacd8341b660eb074df91a48692a5cf1b5a0f03d15010

      • memory/2280-66-0x000000002A360000-0x000000002A38F000-memory.dmp

        Filesize

        188KB

      • memory/3724-99-0x00000206733C0000-0x00000206733F8000-memory.dmp

        Filesize

        224KB

      • memory/3724-68-0x0000020670130000-0x000002067013A000-memory.dmp

        Filesize

        40KB

      • memory/3724-77-0x0000020670970000-0x0000020670A2A000-memory.dmp

        Filesize

        744KB

      • memory/3724-98-0x0000020670360000-0x0000020670368000-memory.dmp

        Filesize

        32KB

      • memory/3724-103-0x0000020673450000-0x0000020673476000-memory.dmp

        Filesize

        152KB

      • memory/3724-97-0x00000206702F0000-0x000002067032C000-memory.dmp

        Filesize

        240KB

      • memory/3724-53-0x00000206559C0000-0x0000020655AC2000-memory.dmp

        Filesize

        1.0MB

      • memory/3724-100-0x0000020670E80000-0x0000020670E8E000-memory.dmp

        Filesize

        56KB

      • memory/3724-92-0x0000020670290000-0x00000206702A2000-memory.dmp

        Filesize

        72KB

      • memory/4748-127-0x000000002A410000-0x000000002A45D000-memory.dmp

        Filesize

        308KB

      • memory/4748-129-0x000000002C140000-0x000000002C2FC000-memory.dmp

        Filesize

        1.7MB

      • memory/4748-132-0x000000002C140000-0x000000002C2FC000-memory.dmp

        Filesize

        1.7MB

      • memory/4748-133-0x000000002C140000-0x000000002C2FC000-memory.dmp

        Filesize

        1.7MB

      • memory/4772-73-0x0000000000C70000-0x0000000000D46000-memory.dmp

        Filesize

        856KB

      • memory/4984-13-0x000001DF71170000-0x000001DF71192000-memory.dmp

        Filesize

        136KB