Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 10:39

General

  • Target

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe

  • Size

    625KB

  • MD5

    90180f284c1a5dc94ac94cae1dbdbfcc

  • SHA1

    dbeb50c4cf66722a01bc391c225bb930354a3fc4

  • SHA256

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

  • SHA512

    4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04

  • SSDEEP

    12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
    "C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4028
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4540
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:732
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2616
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4052
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1384
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4896
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2940
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:4792
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
        2⤵
        • Modifies data under HKEY_USERS
        PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      fda8474b548c77d02afdafc72a203d0d

      SHA1

      aff0ffd4888b783c3739af0035ae8376c9481401

      SHA256

      57fb8b571ce81a54fb71b472aa33c32325a499e8dda26de3603318ecd616b304

      SHA512

      683533f72326ba64446c296d2fdd51fe58230328a8b39e6ea30337d3ad4529f622d3fe5696fd26ac3529111800e0b5457ae952d3f767af0fc5e9e2184fd393b7

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

      Filesize

      621KB

      MD5

      7aa5baf72deaa6d2d74b2477a1bf1ade

      SHA1

      bfd25518baa095401f618ab9b2de643ce9ce0e49

      SHA256

      b2a9c6342c614e58d3560b73a74df7999a6875840a242a6ed618c0d927b14430

      SHA512

      bea71bd2af406239b2d22f52e73ede3fbb420ae1bee7d2c1e1ffb1eede6154e995f8fbc9680b63fdfef45fb040dc4e257dc0a2429e5706eae99fa514fb22f623

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      d37b4746a153abe6008218dec220f462

      SHA1

      a473b1701862c1c79207d7bb39291f3e37ce0db6

      SHA256

      592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7

      SHA512

      5d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      ae644316de57b0c8bf380100fdf6201b

      SHA1

      8e0ed2070e0a948993a6a80a58d5ad2913430d06

      SHA256

      e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651

      SHA512

      d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      cf4b2a7fec07e59a61682fda102494a9

      SHA1

      8888ac4294f0e4299df1453aa02928261dd597dd

      SHA256

      3b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868

      SHA512

      69f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      4e3d1b52c0977001b717300355b600cf

      SHA1

      e3615160362af023a082b00f68ae9981437cea10

      SHA256

      f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f

      SHA512

      855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      ebaf6ab801a8bec40079f34477886c85

      SHA1

      36eea4c2c5bbb26327f4ec0f4c0c05831f167134

      SHA256

      59742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011

      SHA512

      eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      29d58cfec058511f5c97e5342d8aac13

      SHA1

      e8bfce0354a518e444c2397abe4700855515b676

      SHA256

      a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691

      SHA512

      ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      b95a3115be79e0a681e206df9d2a70f0

      SHA1

      646946a39585c2f6b2234edd60dcc8e2fcf512d8

      SHA256

      9661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a

      SHA512

      5081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      a14df0b641a9d2b9941d492749fa4744

      SHA1

      a126c239d21f0478ff61a601039faa868e1d4a04

      SHA256

      c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd

      SHA512

      b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      cd98bf3cf0569b3979037e8460f89245

      SHA1

      9ef80255655214f32685c42aefa33c39737237cd

      SHA256

      ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9

      SHA512

      0760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff

    • C:\Program Files\Common Files\microsoft shared\Source Engine\pjolegip.tmp

      Filesize

      637KB

      MD5

      246f82ad1ef21f759220a1a6c8476966

      SHA1

      3a9f6ac2dcbe45757fa0ab9cccdaa13fbd7242b7

      SHA256

      6506aa2a65ef53b273f710c81980a40d0b7da121c3f8f6808f14ff88685fe2c5

      SHA512

      8eac3e0ac2a93097e944c3c8b358a4c7ecd62f7c705a2797e9450515e4c38caf536eece7fb693ba9df1a4e440813a094731dc3fdb9c1caa503d4ff29cada220e

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

      Filesize

      2.0MB

      MD5

      36d55fd337a2eb640146bfba9f45fa89

      SHA1

      5216d49886fdd039bbc1e3a5723dc3dab7a03d5f

      SHA256

      6571434c915b6cf37a73e9f92806b617a10773d0b87d67b57af1faee20c204ff

      SHA512

      0152fc5f35236ecd232543a5317ce1e7b4ba04bd8e0760526cf97d4bdf2d8f0a4a11da61ba4ebc92643d204f0df911c5ae109691d8fbad35f750335895864787

    • C:\Users\Admin\AppData\Local\loljdjok\addfjjle.tmp

      Filesize

      625KB

      MD5

      c65c4dafe1bac11e3e2a49b3dc22575e

      SHA1

      ebc3516e55af5449e428ed732040f2e2d3275db0

      SHA256

      4eac4b15cee40543d7140bfd6c3d74f284b73f6f99609f5a55d9c75cb15440d5

      SHA512

      44dfbea4cb7a81df543abca97d8f28c98a3206c0e3a8333eee58d2a0bd7b2f22676f5a600063000890b85f352b00fb1e0f4deb20f9c83ea14fad42c36881868c

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      818KB

      MD5

      5dfd927d1bf3b6e44cbd232bd1e7cc47

      SHA1

      667957f4a82527478eba4c8e9dc1cc854853a3b2

      SHA256

      fb4f8187cfbe5c5cb35bbc45ce4810c61dd4bb877ed16c137bfaec23ca5b9562

      SHA512

      91430f63a22195c0983ba31fca165dab380b8ff678755ffb19078af1976b176ea60c652ce707795e86616fee5bf19f5281ba04b779e70a6b1dd9f84b07427c4b

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      e0e6c4e0b12a1dec1e93dc63e46b5d8c

      SHA1

      ee065af21c2c1692e7ac851ff3775e6918088aa9

      SHA256

      4ac0a4a6b4886762fb527f3f4140aef1eb38faa336736b51f7fb6299ea305ef2

      SHA512

      2574093acad92bbf10a50f3980a74feb7d40275ca49c5007c3f2eb395ef489b3fccd623968bca3a926ffca07cc27365ad31b1bfeeabb8f5a7b760f8cff810755

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      837a31332efa26e43fab43b9615423cc

      SHA1

      5f5521c6ec3fd3baf3d50421e57a0bf8b0155a9c

      SHA256

      9ea4fdf917738f7e10c441559afdaced8e016ae6a63bcc7c725d73e61de9a533

      SHA512

      8c1bb12b758f08f9fccfe12fba4477f26143b743bd18fce5e44cd13cd5935f801d2c12d025351c48e8d55cc235040b6d1fc78d90d9de7b05402dc7a5ba34da34

    • C:\Windows\System32\SearchIndexer.exe

      Filesize

      1.3MB

      MD5

      38d541bcd2f4a3e42203bdf41cfdaad3

      SHA1

      73e8cf5fe0a1f5f996c68db840d754b605d1de75

      SHA256

      51c1beb8841e227a680ff21ac571737654ecc34ace329c08b559fa51a9349ce6

      SHA512

      57be56fdd84597b74af3d61eae5e7cc77830ed018d69376d314ec1a38cf9bc6acb07563ddbcbb8efc0b7010e9541489a3b82af57cf62553ecfc554fba62236bd

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      6142e0b44fae115cf7913611bf36a4e6

      SHA1

      f6be0c06432210068f8c9fa59cda87e230dc4610

      SHA256

      2935b20e4c9dc38d0ac26689face0041fc7209b5c658e13cd001bf9cc5f2cfac

      SHA512

      41d17e66a6c58a93da04ba1009b7d2ca324d5572cb8c54b35b764c2a47b133d4c4edd2ac5c79b1f24a641f6dce464f091788d166585d685821fbf61803fa0276

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      cf6f7808f27bbcb386f19fe55c591028

      SHA1

      1cfdd5e85ad4471f465aeaef078f023168bbe2a3

      SHA256

      7a97abf004217d442d101e21b265409935bfa5bfa144b581804e54d2e667e399

      SHA512

      08ca153cda10e6ca387041edb994a58c4b664f15e394aae67c6de85669ff45dc08b02bbf75520358e1f69b19166d62406f1e018e480ac8bef31707b7b792ba74

    • C:\Windows\system32\msiexec.exe

      Filesize

      463KB

      MD5

      fe9be458f03957306533e12a9a2b2256

      SHA1

      6f44fd9d09e9af945c46bd231780038fd1526a34

      SHA256

      7afbbeac914162e3a9c92fe96e536e243d661cbc3d04c8ebdb2ee83e6c55cc4c

      SHA512

      96cc06b956083289fac1de52ef6928e77ae31f76938f5d941c92b8c8cda01af25fa305e40b52b90c824751a571424c0a28e3f5cb6de799afbfed4b84f16a9149

    • C:\Windows\system32\windowspowershell\v1.0\powershell.exe

      Filesize

      839KB

      MD5

      91c60a5d9af9ec13645cc8b342e241dc

      SHA1

      4c16057c76f187e1528b0bd5131812ca226d0620

      SHA256

      177fcb1534f7f581f7c960c4fa602d749341aeb5ad999ec50c4753c468d550cb

      SHA512

      dffee364b8faf3930c7f84d092e5128c001d8b35efd4cf079fec0d5e9564148657040c9a80ca894dc07a15f7ee171086ebbc58ba89a532d27f7ce59442dc0e6c

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      7c8d4ddeabb5a49a045d4723923d323a

      SHA1

      52f1683a53233af3a6345275cbaebf76538c3fc1

      SHA256

      fa7429a5dfef0c78547781ee5efd62bceabf1849fbaef708a9e340ebe5596929

      SHA512

      fb64fc86ce62916e1cda02ff822c73e5baee5ee91d8ee18aec0680acf05df660b4425ada9549973aaba12b111630eeaf257416401a01cfd35ec0e3069b99470e

    • memory/732-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/732-86-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/2548-317-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-315-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-329-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-330-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-331-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-333-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-334-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-332-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-302-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-303-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-304-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-305-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-306-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-307-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-308-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-309-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-310-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-311-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-312-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-313-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-314-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-328-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-316-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-327-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-323-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-324-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-325-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/2548-326-0x000001E96D530000-0x000001E96D540000-memory.dmp

      Filesize

      64KB

    • memory/3164-49-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/3164-47-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/4028-48-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/4028-56-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/4028-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/4028-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/4028-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/4112-290-0x0000000006AE0000-0x0000000006AE8000-memory.dmp

      Filesize

      32KB

    • memory/4112-258-0x00000000021F0000-0x0000000002200000-memory.dmp

      Filesize

      64KB

    • memory/4112-274-0x0000000002470000-0x0000000002480000-memory.dmp

      Filesize

      64KB

    • memory/4112-300-0x0000000008E90000-0x0000000008E98000-memory.dmp

      Filesize

      32KB

    • memory/4540-63-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/4540-65-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/4540-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB