Resubmissions

22-02-2024 12:58

240222-p7qe4ahh87 10

22-02-2024 12:58

240222-p7hegshf4t 10

21-02-2024 14:52

240221-r83g6ahd51 10

21-02-2024 13:15

240221-qhgbkafg2t 10

19-02-2024 11:43

240219-nv2rxsdc55 10

18-02-2024 23:40

240218-3n9lhsff8w 10

Analysis

  • max time kernel
    89s
  • max time network
    126s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-02-2024 13:15

General

  • Target

    253012a62bc1d805c8c0b1bbf936c6f0.exe

  • Size

    2.4MB

  • MD5

    253012a62bc1d805c8c0b1bbf936c6f0

  • SHA1

    33728ba8f5ad3a4f0e1a5d6890022c377c0c00f8

  • SHA256

    a25e2487bb4b638d6333d652db58532f3f29dd5ddb7711f70f52e0e61e8d3f51

  • SHA512

    06842aab184f35c855dbf450534f9de7d66bb5923d0119c3ada19a08dc9f5c2b287321c571cf8b4727927517c6dabe37130e7b9a6eed4892159112ab6e45f57f

  • SSDEEP

    24576:j+G047epooYKZYzX1HWvWKz4E+hhf4udB2mMmsZJlrA9yoiO2V0KcJx3UnpLco7r:B047epoC8cWKssZfM9m1AJxUFr

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Loads dropped DLL 6 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe
    "C:\Users\Admin\AppData\Local\Temp\253012a62bc1d805c8c0b1bbf936c6f0.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:3060
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:3524
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:2112
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:2672
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1968
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4736
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2692
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1444
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3156
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4188
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1896
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

    Filesize

    627KB

    MD5

    38fa7926c879b55635a697a6f49cb034

    SHA1

    539cfcee9654ed2a7b04236d3cd907224e1f6d87

    SHA256

    8c1c2a374dc65a688837c3fc1c689b66bc9c2cd57209e576084710aa00c44ea3

    SHA512

    5b8d9cc0e8ef425263aba02b1c539517c16d596ecd31f4c647bc4d6eea86211312527c92be486bb8f739ae114704467467e71dcf68ef2f10ae1909e185a494d4

  • C:\Program Files\ExplorerPatcher\WebView2Loader.dll

    Filesize

    136KB

    MD5

    c44baed957b05b9327bd371dbf0dbe99

    SHA1

    80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

    SHA256

    ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

    SHA512

    ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

  • C:\Program Files\ExplorerPatcher\ep_gui.dll

    Filesize

    702KB

    MD5

    50fac6e71b1693c8601e5edfe2314c0c

    SHA1

    ffc45bf1c9a5b0f2ca59d5057335ae79c84306d4

    SHA256

    3c362868f6740606f86b38c5d492f714265ef67bb9b29f64882bdc4a5519621e

    SHA512

    800700b79f227131a76d32e4e8c4073e0906ffe28f1e4d67e7f964747280faf56eabb72bf1520f42abc1a28869d35c956eb094eaf4ce6ed96ab4d4d314ccf391

  • C:\Program Files\ExplorerPatcher\ep_weather_host.dll

    Filesize

    238KB

    MD5

    74d2a253680034bfc1c8b24f3bd777ac

    SHA1

    1a00fb3b4628002149fe560a7e231f0bc4a6e97b

    SHA256

    52a99a4d45e8847decea13d49ef9aea5ebb629d6f810b6d529df344b9f632299

    SHA512

    f3351fb54790e01cf69b66c824a934d9beb8866140a97823d79c18400b8ece845ed71070c5ec2cb21c6f17560fb462794e66b4bc3354e79ef552094c22944063

  • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

    Filesize

    109KB

    MD5

    578479c0c09270e357ca9a9320a2540a

    SHA1

    4e0fe7abb9b760004995e95103e28796e986cceb

    SHA256

    f5a33582ac070a90d214d26e70d05f72df1885a8626a837bbe6ff731cd22ed82

    SHA512

    d0ce12ea49e268bfd55c9d72a380ad7c5c23d406124cc917c0d745979f19ff7688fad7c094d118c1d9efdaf66cd66f17daea03e7eb122d24d8571a79620e9954

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

    Filesize

    1KB

    MD5

    4ddf08b0d8e81614c05274f74676bcf1

    SHA1

    c81caa69707f62aae8134c8eb56d72bd4c1bd5a0

    SHA256

    03dd655a7eea8b5f5430c2f813e56c05a4e1128eaca5ab50535bc624286f99ac

    SHA512

    fbb5f4a5a37b8c6b8a3df5bacf32d3655699441465cdfa63f1ea93a5ad1f8605854cbd32b44c9a4cf44568b4b7f973a1eeb7d4fc0bcd4a99b1f319d541f983fb

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

    Filesize

    14KB

    MD5

    20e2340174a5a8563b95b69883977313

    SHA1

    ce8995698223ba5b2c187011389c47aaae657350

    SHA256

    206701e75efb47bb22759f0266464d9b168ef1214c4068740c0643fe55c559ce

    SHA512

    6a45ff276cdc6ba54c0ce5b0cce76cb4b96ac8ac322bd219017462838699e903edff263fcbb4b1b768015a1e4066eefcba431a235c292791757c91e2cbc4e360

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529949816081708.txt

    Filesize

    68KB

    MD5

    f44440eb89384e22043e78257186abd8

    SHA1

    0a126c1c6e0a1f8652f615d63b148622e1292c5c

    SHA256

    6381ead314c208cc51c1e2c37f4b89e8de87197f3228486a111e5af0c59e3520

    SHA512

    3bc8c35b38c28e334ab5f8de4f0e57e5e1d01895e1a05186c82df79ee06120a61b42f94e52f36b395d0088aa15e4e31b1aeaedf34715515956f0417904d2c871

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A

    Filesize

    312B

    MD5

    020af59720744ebb51e3781d530bfe0d

    SHA1

    33643cb189fa89426b3cd0a687dcfe481d307813

    SHA256

    605ac01026879d163dfb3b6b8c89ea9d31583e99c19bbab3115da7d3a2ba9b5e

    SHA512

    1dfe4f4dc30ee0809cfa3178fc8cae5169b3eda9d6e9a0e600af2c9356c4a2f2c64c091f7054b4385843a14685aaa79ee2057b4bc06be0c570970bd78528aa6b

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A

    Filesize

    404B

    MD5

    70525cfead7a0ead6ef8e4b8ee658f24

    SHA1

    b19122e72e9d7ea17c1b33fac8016609434a04f5

    SHA256

    15df5c18c126863c2d863d1cd4a4123a5ccc442a5ec8345f1c4a93bd44019f3e

    SHA512

    e6dd99c5ac0cc58eb3ee0c7f8101e5cbb7d17ec77d243bf0fc873478efaacf59c786bcf6169856e0c5730fe0f08da5c331995bc73f336def764a777e31f788a5

  • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PMGDCV8A\www.bing[1].xml

    Filesize

    2KB

    MD5

    25883f4dbd89ffe71542d7598dbb5c3b

    SHA1

    b35d2c9dc6caa8cbfa65b44a3adbd5f80e10701e

    SHA256

    04c5863d744637d09e8dafb035d7af81748c5d108e1fc5ab7772014e58712a48

    SHA512

    61cf57a2b5b438dd8a8cafb6506c49ceeb2f527a30e24d681a3949a597916ea74f913505877e79145cf4f1e444ea94093ae7c7a16d39639abbab5f88258b5ba7

  • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

    Filesize

    18.2MB

    MD5

    ba80ec913334b6123236738635a548ab

    SHA1

    c85fdf9b6d69bfddf35aa6f8d775f01899ebee9a

    SHA256

    36bc1dbb6cda0b93aa085a01bfeb5df45708c37f099e50ee64f3e80d87c52d28

    SHA512

    b0bbb509dafce89258766a8dbd77641158793853a4a9a13a76b1174b18f6bc8558062ba55eb9732200ea8e0b88f86a280a36edf531edca87df1be554b491bb8b

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

    Filesize

    256KB

    MD5

    799c910752c97c6a0fa92e4fbd404764

    SHA1

    8a60000a62f57c7b34c7ac4f4ebe3f8370a06411

    SHA256

    9e1d09a8d3825e10f3c517aa34069584f50a00d9c940c2a3d61d33455a224e53

    SHA512

    78753d9c8107f5fd60b0cb15e7a3bc2ff4e6ddc285d88c67bd3210571f675adcb0367bcb5a92d13a1e2dd806c65c386d9fd1fcfc7249c051b2d83cd82cdaf1dc

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.DLL

    Filesize

    152KB

    MD5

    56211c10e8ca51cd347b1e0589a59cd4

    SHA1

    99d408ce197b953d8e83b7023c9c4da971a61ff9

    SHA256

    9753f310c006739f674c26307ba048d2c4b55b02ce12886a5c80d30ee0783b5c

    SHA512

    cf39fa069f6e58305ffd57ac271a89fb838cf0c848a64891e32699149bfa9415e06b005173ac43610f343aec858d6729c36799d89b86c7d71c98ef6f9b662c8e

  • memory/1968-44-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-49-0x00007FFA8A090000-0x00007FFA8A65B000-memory.dmp

    Filesize

    5.8MB

  • memory/1968-30-0x00007FFAA00C0000-0x00007FFAA026C000-memory.dmp

    Filesize

    1.7MB

  • memory/1968-31-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-32-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-33-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-34-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-35-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-36-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-37-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-38-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-40-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-39-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-41-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-42-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-43-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-28-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-45-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-47-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-48-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-46-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-50-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-51-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-52-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-53-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-29-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-55-0x00007FFA950F0000-0x00007FFA95149000-memory.dmp

    Filesize

    356KB

  • memory/1968-56-0x00007FFA950F0000-0x00007FFA95149000-memory.dmp

    Filesize

    356KB

  • memory/1968-58-0x00007FFA94E90000-0x00007FFA9509E000-memory.dmp

    Filesize

    2.1MB

  • memory/1968-60-0x00007FFA94E30000-0x00007FFA94E87000-memory.dmp

    Filesize

    348KB

  • memory/1968-62-0x00007FFA94E30000-0x00007FFA94E87000-memory.dmp

    Filesize

    348KB

  • memory/1968-59-0x00007FFA94E90000-0x00007FFA9509E000-memory.dmp

    Filesize

    2.1MB

  • memory/1968-64-0x00007FFA94D90000-0x00007FFA94E25000-memory.dmp

    Filesize

    596KB

  • memory/1968-68-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-69-0x00007FF65D630000-0x00007FF65DAF4000-memory.dmp

    Filesize

    4.8MB

  • memory/1968-65-0x00007FFA96470000-0x00007FFA964AE000-memory.dmp

    Filesize

    248KB

  • memory/1968-63-0x00007FFA9F910000-0x00007FFAA00BE000-memory.dmp

    Filesize

    7.7MB

  • memory/1968-57-0x00007FFA950A0000-0x00007FFA950E2000-memory.dmp

    Filesize

    264KB

  • memory/1968-54-0x00007FFA8AE70000-0x00007FFA8B6A3000-memory.dmp

    Filesize

    8.2MB

  • memory/1968-89-0x0000000003C40000-0x0000000003C41000-memory.dmp

    Filesize

    4KB

  • memory/1968-22-0x00007FFA9F910000-0x00007FFAA00BE000-memory.dmp

    Filesize

    7.7MB

  • memory/1968-27-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-26-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-25-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-24-0x00007FFA95880000-0x00007FFA95AF1000-memory.dmp

    Filesize

    2.4MB

  • memory/1968-23-0x00007FFA9F910000-0x00007FFAA00BE000-memory.dmp

    Filesize

    7.7MB

  • memory/2692-120-0x00000236F2420000-0x00000236F2440000-memory.dmp

    Filesize

    128KB

  • memory/2692-100-0x00000236F1D40000-0x00000236F1D60000-memory.dmp

    Filesize

    128KB

  • memory/4188-186-0x000001D2FA400000-0x000001D2FA420000-memory.dmp

    Filesize

    128KB