Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 06:07

General

  • Target

    a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe

  • Size

    406KB

  • MD5

    c8a46327ca3a8a0a5db01c32ba508f20

  • SHA1

    0e737ae39d373dda72816d12737163ca068a7716

  • SHA256

    a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625

  • SHA512

    468b8b3a828a43e073af6d4c02eb356e608262b1496044e94d0d161eb1976f6d03f6fc23254086e74673a4ffea5ab9054813feb8c5ab0e18e3c5a93cef55e980

  • SSDEEP

    6144:KIzfx0tsmxGjd9suGjWIDhAJSbnVrw8/LppZ2oqIqOEhspJ:1fqOwGTlW9N0Qrw62obqap

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe
    "C:\Users\Admin\AppData\Local\Temp\a993b8b9658d2639469658237a8139d10ac282e8e5776e35d5e6ebc762af9625.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2328
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1040
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4160
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:2728
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:3100
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3024
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2456
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3932
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:912
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:4820
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
        2⤵
        • Modifies data under HKEY_USERS
        PID:2120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      9b347e6bf8bd3ffa9e390d454aeb3976

      SHA1

      f0960611fe2aadf21352737ba47fbe2ce61cf009

      SHA256

      902230bb653ddd40a9d12c4e523de64e1e5ea33f35cf6c503c5115403da908cc

      SHA512

      d533cd4eabc20fb948ba505f4f7834bf41342d42a38c3446cfd1a077adc8e4c144939d5ebddb3341e0c1bcdec8a9ba0a11a9cbed85f72edfe9267eec3c56050e

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

      Filesize

      621KB

      MD5

      a9547ed4cfc4e0dec2318f585f9c7345

      SHA1

      2f903679a2faaa16fab41761170ede7dfcf3d77b

      SHA256

      bf9fc0dab494fe471376df8fde2405e68ff942cb7d0f0f8014887ee2db4ee323

      SHA512

      20f4baef62212fc7ec07f269f09a7a0dac1dd3d784b46272697cecda012939fff5fae7801b42a07e2f01615b272afd53a27160cbe2523f16f2546d31bdd01c8d

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      548bcdbf9eab7e825053be851fd0c5fe

      SHA1

      65d0e164e9477cea7a584031ff004a9cfc5e3022

      SHA256

      2125b76602dff85f02d2cee68d2e037e748ec5089beba52ffeb86d3b14c9988e

      SHA512

      f984388067355ca0ced63c955b4b18626253a7de8c41b18e022fefc24e8af88495ca340ee81bd1515ca16de959007fddff23a30329e8ece62e6224c9a9e6a1fc

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      f04b5eace639dcb9c1fecf36b355628f

      SHA1

      5f83bd6b8bcdb6b0c9a99b2e7a7b42fedfe96909

      SHA256

      4878274fdc82122e4385a2fa2056029b81c26763c58f9524105b40288254392b

      SHA512

      4b6add8efa852791066de6e7fad292ab0d68cfb24ab7c645aa9d2e9122c6057ce0d4e578cbaa9256a2e77d9a7ac725eb3b8dfb3fead216446489e48079f655e5

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      5f34d5fed5ab57a6f2bb9361b506d7f2

      SHA1

      fad4b3580438e8f506ec33cb077ba588f164ca64

      SHA256

      cb177c803f0395de73e3c371f2e41ea746fe20a2c7a13fbede96f4ea76fe78e5

      SHA512

      c355a14e7d5e1d4e7b832c546248561fa88e03998c6d0adfdadd6c207ffe8fd53f2fdc1e2e036c3cf8c58f47608f234c9e4950481bb2237f893e112a81a71703

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      1260f6c29c945c6d9706dc2681fb6f60

      SHA1

      9ce122aa2038cd9eabd9c40d64b9c77713e904c6

      SHA256

      673975f795a6d16d639f7ac00378d23fcbb86f1874dbaf17b4fd07913552c2b4

      SHA512

      16ef2bf114f24ba012c5f09ace4ed95eaf04d65b1093bac8ff67b5cfaf1665199b8005bcfc92f6271c51fa01a7b95e5ea9a19c28e1a2e6d9b481fb8546a7d574

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      25e8bbf74891bf48c3573c4913464a13

      SHA1

      e7b71b6009fd75d2e1b934429a626b36c28ee0e1

      SHA256

      f396abae1a8c4cfce0a771911cf66f1c7ef3dde673c2435e2b3b49165d8c2175

      SHA512

      a052bfb0ed205249511a18835561d4f6ec5b6d1e0c87c7e60bae885968b5031f4ea4574764f7a6fc681ca64e1eb0bd4906cd9f606e20679368b2e01f814eebb2

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      4bfb82077f4f2c6da214a5abc7c77d89

      SHA1

      9e1d4fc4908e28aebb49a7452460a4682fb44b41

      SHA256

      601c7f285d68562824851b53700582eac8b486bc633a1fe4bc165e5b1e12a726

      SHA512

      9684069b76574297f26ca04440cb14f7047dee84d220f74c3260d77edafd40f9d7b1c1ff81445d173b3f1bf71a3d8350cd4f04becae409ffe0df5cb8a177698d

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      52e6befc8868b6a7b7c055cbd3a620cb

      SHA1

      a897d590a8ab42c3a67a6d5b6d6fe59b32d2395c

      SHA256

      72e9d0ea2008329f3f4b6018d68d875c021b242cd571835e2a983617e809cb2c

      SHA512

      2e4c9463d3794c80f33f0a566269faa11342abc4cfe60afea520420e9bea109742284bfa271ac50285e0c6f69c8d7adb0c368665bf75e552da332503764d9334

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      2db94bcad48a134d23b0b10e81ae7aa9

      SHA1

      e48a3715182e412aab1708b088d95566661bde8b

      SHA256

      f5d751740fca2af8f00eb8ae4a3f6e57fd8f72c4f608455aa146dd15a5713d17

      SHA512

      5f9597019d25accbd3675e533bb7edaef698ca505f9fb74bcbfe2d1cbf17f84cfd3a399849451bdbf808ffc394b24eaf80c2daa2dbd82f1c510abd9d78c6ceca

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      ecbe3894fab03dd15a94272adb0f864f

      SHA1

      32833193c1cc59b0b19bb54efc96df75595d3832

      SHA256

      c5efc1e80b0107fc2a58da465eba7ed1d5d9f2a04d2ae4056f872e719e6d5e1c

      SHA512

      3f3507cff13bd093cd6cbc21145489f794cafe2a51bf359d0b9f78585d0c1759bac730541fdc21c2ee14259c93ffdd1da9971250001f7c3a7a0286f3954aba4a

    • C:\Program Files\Common Files\microsoft shared\Source Engine\cbiocmnd.tmp

      Filesize

      637KB

      MD5

      c0a3de0c48ed478ce3f422cdbe4ccbf2

      SHA1

      30722b85156a3d3533e8b7423adf8b9ea1736708

      SHA256

      b19478813773d34957a2d547b2f905f9e5a128bc7e2e3ad7049c7713b01cda51

      SHA512

      cd94ef865dd521076a5332d2abc00f5fa39b9c64decd8e1247ccbe241b245aa867920f15bb8d899d2003ffed0396eae0ed2a8fa3f67e4267a250d6bd91ac1490

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

      Filesize

      2.0MB

      MD5

      8ccad9b3a36add26463dbd0933819e3c

      SHA1

      5b8bf794fd2296a6c417d37de98856e8abd77d64

      SHA256

      64f2b5e882f783e45dc6a64bf000e98fa08658ee91ac32abf1a8489b4c030aef

      SHA512

      8456bbeace624145032d3f04840a478b31205b557b6937f0cb4848f04c3b1ef0f8231baf8a27854dae47d405102b03357732da44ed24bec6989a20f528843942

    • C:\Users\Admin\AppData\Local\pdorddlq\mdqainph.tmp

      Filesize

      625KB

      MD5

      d67ebcdb6fb579aacb66a3fbcada08e9

      SHA1

      1b32a0af7c15a9d67cfca081cb217d4faaed85d4

      SHA256

      704024eaa2ffa8203b9ee83dbaf4a7b158dc1042ef29bb36e4e2afa99372ad41

      SHA512

      02c1f1c63178700cee27ca0ae4c9deebb90f8d117d7404f945ec1685f6cba76b87be707c692cae949e88cc8fc886169f602644172e4845ef9c52b99dc69b9adf

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      818KB

      MD5

      ad137324736354f5b893b3560d62e854

      SHA1

      2b07050514a1f03f16439e49b0bd70d8edbbd9e4

      SHA256

      482f97620670ce7ee85a3f4e011d7613048a3d138a60d176ac1c0bd1aeec16fa

      SHA512

      8c36f79c09784a30c55cb11e45b5595fdd756ea0e07dd3d0d33c2ad48cd7cc0038395fb11d6ede425df90fc5f29bbd8bc7af12e2965692dbfd80487cb4ae9f4d

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      0651010b8e5f5107a30c50f1cf01d862

      SHA1

      339d62025126670fa7b4116a58a6b7615a6d5651

      SHA256

      854391a8c791683c5e3266b776a016c3912566114d135792fcc4105384ec6a4c

      SHA512

      23c7dea457dfca60efb3c60124101abc0a1b5ae95e22db533797972ea27bb68d3f9e260165b39ec6807fd11277f34f8b7bb0f880fb1818b51a4d60132c8456d3

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      fb5f16b4137ab0a10921ce6a2f057126

      SHA1

      1d51f6e394c28754909274944dc16eb6a69649c4

      SHA256

      6e3f6e739cb71d1c306dbb80579e8fe16d56002f53a693dab32214ce8448924f

      SHA512

      c83357baa3a8583bea742e9bbe40f62eb7e3c746081045c4c528263e9714ea38dfd32483555816a78e0a013aebfb90ef15014966a2604dd2a40aaa705ce0a256

    • C:\Windows\System32\SearchIndexer.exe

      Filesize

      1.3MB

      MD5

      d2efdd47face1a1fe6f978b707088dbb

      SHA1

      3d8a0f9e7531d35bd5d3f30b6dbb23dd23e86c27

      SHA256

      e9b757f870bb25f7e21346dde21943dc2a236f83c5f10b3461b4f3d031920556

      SHA512

      dc6831158765d0662d2291af58e844cc02099ad963bf1425517b107e3262ec8164f514318e831d21fc36ef537730ddede471244f5be929f8965eb80004a371f9

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      44ea67931589e79c48675cae5b2e409f

      SHA1

      40fc590cb20999741268d61b5139781cd63b8f68

      SHA256

      0c572934e7920f617e08fbcf183aad401f46f05686ba53d5f1b191cf1117be0c

      SHA512

      0e2240c8ab28dcc9d47b204793449bdcde69a7fa381dd02a8e008e06ce1eb66dd26725c01d0ddd4d050dcfd43452fd28f789e8e6f05b2fbe60c5318f0376090e

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      001223cd27156051443ec23e7987bbc1

      SHA1

      f5a55bbf5fae9edd62abae1e09984a8e15b700cd

      SHA256

      64dba0ee4dba236aba84380c314a3e086aff38aca232a31c3fb1d5e9c0124243

      SHA512

      1bca2141bd15a6b7dddef00ee6ec880130dec3788785ef3db2e2f90f61dbfa9d1a8f1346155d22eff0579c04790adc2dfcbfc548b21582d91528bc1a47d7253b

    • C:\Windows\system32\msiexec.exe

      Filesize

      463KB

      MD5

      6027b9c5a43a34e517fe0ad7d720a501

      SHA1

      29788ea03a6104c734fb85310584c2effdc320c2

      SHA256

      0c24bc377e8f546bcd5bdc60e9e7f20029d7babbd2ac4a4e6e6c2d7faf500434

      SHA512

      42f0b9bdadd6d507476a04c608407106abdc785823a31ab50a0ae61d6577f0ff359e46791a68b6cd79ef006a91a399ddc259037a9cef849c31650c05428563d0

    • C:\Windows\system32\windowspowershell\v1.0\powershell.exe

      Filesize

      839KB

      MD5

      4eb54bea93599d4487bc229ebdac1906

      SHA1

      7ba0fc12859b011cf249ba9e383e261d88f9ff6b

      SHA256

      0b517de39d28ae419de93357f65e0e22f932755393e27b2961e179a8c5dec6fc

      SHA512

      aa91071c65e10b8f07d51a3cfaa0f748bb19f07350161addef82610cab191eff6859620bef96eb87dd9de86ed0e20ea5dbd68ab5ead00bc28c32a258b55a716b

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      e183dcf6ba80b74235a8bca5ab4a341c

      SHA1

      68eff27418f38cccd6bd36e489cbff773bc9f91b

      SHA256

      acecc24bd6e088f6f773fc365651f68854fe1bc638a5428b4636f2da71df8c68

      SHA512

      3fad7b435ec6600346fa9ad7e5a85f8b8284940d10dabef0eb285b8935099877c91197905174e8efceae1e2acbff04b6e460f0f4a0a15c9cf7519fd2cd89fc85

    • memory/1756-259-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

    • memory/1756-275-0x0000000002780000-0x0000000002790000-memory.dmp

      Filesize

      64KB

    • memory/1756-291-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

      Filesize

      32KB

    • memory/1756-300-0x0000000008BC0000-0x0000000008BC8000-memory.dmp

      Filesize

      32KB

    • memory/2120-305-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-324-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-304-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-302-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-306-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-307-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-308-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-309-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-310-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-311-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-312-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-313-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-314-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-315-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-316-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-317-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-323-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-303-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-325-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-326-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-327-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-328-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-329-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-330-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-331-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-332-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-333-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2120-334-0x000001475B7F0000-0x000001475B800000-memory.dmp

      Filesize

      64KB

    • memory/2328-5-0x0000000000670000-0x000000000076D000-memory.dmp

      Filesize

      1012KB

    • memory/2328-4-0x0000000000670000-0x000000000076D000-memory.dmp

      Filesize

      1012KB

    • memory/2328-2-0x00000000006DA000-0x000000000076D000-memory.dmp

      Filesize

      588KB

    • memory/2328-1-0x0000000000670000-0x000000000076D000-memory.dmp

      Filesize

      1012KB

    • memory/2328-0-0x00000000006DA000-0x000000000076D000-memory.dmp

      Filesize

      588KB

    • memory/4160-59-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB