Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 12:59

General

  • Target

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe

  • Size

    625KB

  • MD5

    90180f284c1a5dc94ac94cae1dbdbfcc

  • SHA1

    dbeb50c4cf66722a01bc391c225bb930354a3fc4

  • SHA256

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

  • SHA512

    4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04

  • SSDEEP

    12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
    "C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1676
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:408
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1516
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2276
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:728
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3000
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:548
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4800
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2072
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Executes dropped EXE
      PID:3608
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:2164
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 792
        2⤵
          PID:1440
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:3672
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
          2⤵
          • Modifies data under HKEY_USERS
          PID:1584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

        Filesize

        1.9MB

        MD5

        0c9b82eeccebaf3088e9f328d8669dcb

        SHA1

        f2dca1d8370763539d8b6e19eeea7eb222a594d0

        SHA256

        dd1f1e961ef316b3c6944da5a5893f4062af202eef5454c409f91a6e576ea521

        SHA512

        508d0d87579903961411dfea13fd455f5b08e28754f4c0d9ae97a952fca1044355c0cd76c9b9bbaf5b8126868a342e78ab0e633deefc28ea1dc41a5db1a04b6b

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

        Filesize

        621KB

        MD5

        3e32555b645b5dd97bb431684951f274

        SHA1

        df637dc036e5a84e9c9dee1cb9be1ab5e2119e6f

        SHA256

        8867b1f6bb82de00f4003ece23d9962d4c1b670c7d97da48b753fd53b22f98a6

        SHA512

        e8726b76bda1b5e1a61d503c44873b6cd8e88372ecf508a4d65c9731ac79d8f06cdc74b26710aff9ab0ef2d678bff2bb8491ebc3c74d8ac6d5007be4d18e8440

      • C:\Program Files\7-Zip\7z.exe

        Filesize

        940KB

        MD5

        d37b4746a153abe6008218dec220f462

        SHA1

        a473b1701862c1c79207d7bb39291f3e37ce0db6

        SHA256

        592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7

        SHA512

        5d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714

      • C:\Program Files\7-Zip\7zFM.exe

        Filesize

        1.3MB

        MD5

        ae644316de57b0c8bf380100fdf6201b

        SHA1

        8e0ed2070e0a948993a6a80a58d5ad2913430d06

        SHA256

        e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651

        SHA512

        d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182

      • C:\Program Files\7-Zip\7zG.exe

        Filesize

        1.1MB

        MD5

        cf4b2a7fec07e59a61682fda102494a9

        SHA1

        8888ac4294f0e4299df1453aa02928261dd597dd

        SHA256

        3b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868

        SHA512

        69f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e

      • C:\Program Files\7-Zip\Uninstall.exe

        Filesize

        410KB

        MD5

        4e3d1b52c0977001b717300355b600cf

        SHA1

        e3615160362af023a082b00f68ae9981437cea10

        SHA256

        f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f

        SHA512

        855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

        Filesize

        672KB

        MD5

        ebaf6ab801a8bec40079f34477886c85

        SHA1

        36eea4c2c5bbb26327f4ec0f4c0c05831f167134

        SHA256

        59742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011

        SHA512

        eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

        Filesize

        4.5MB

        MD5

        29d58cfec058511f5c97e5342d8aac13

        SHA1

        e8bfce0354a518e444c2397abe4700855515b676

        SHA256

        a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691

        SHA512

        ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

        Filesize

        738KB

        MD5

        b95a3115be79e0a681e206df9d2a70f0

        SHA1

        646946a39585c2f6b2234edd60dcc8e2fcf512d8

        SHA256

        9661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a

        SHA512

        5081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

        Filesize

        23.8MB

        MD5

        a14df0b641a9d2b9941d492749fa4744

        SHA1

        a126c239d21f0478ff61a601039faa868e1d4a04

        SHA256

        c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd

        SHA512

        b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

        Filesize

        2.5MB

        MD5

        cd98bf3cf0569b3979037e8460f89245

        SHA1

        9ef80255655214f32685c42aefa33c39737237cd

        SHA256

        ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9

        SHA512

        0760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff

      • C:\Program Files\Common Files\microsoft shared\Source Engine\gejmelpd.tmp

        Filesize

        637KB

        MD5

        2c0d704db7f81fa758edfd31f82d4b67

        SHA1

        b8e438b8383c7af870d4bcc917d71dce595974ae

        SHA256

        59f73bf69297f1d8f808973dfb9e1dc0d8e9cb04300d4afe436da97a35469945

        SHA512

        208c5635ca552b8ca27f3255e78088359cee630f0336b4f87a2e2def772fce270f5b334e3bbaade2d60fd18a9321fdbbea5ca6d30a87532e948331262745c571

      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

        Filesize

        2.0MB

        MD5

        c576552ff119e19dd3f368b98b64f3e9

        SHA1

        e9db3cff21fefe532d8673d7f14dbf7c16c5a062

        SHA256

        5f95cb0adce15d226b9a0a976e26990b4b972fad7c4c84178d511b98da2824c0

        SHA512

        77981a2e60be7831b306cb0324ac3f191c81a20334c4c828ac1eb2efef71c4eb87e61fd0fa67cd42b2442a4a462c1a9e8f72cadba868ce6a424d2e73e772f783

      • C:\Users\Admin\AppData\Local\bcreblpq\ijjdejon.tmp

        Filesize

        625KB

        MD5

        dad6df2d16e2ba34a3da348efe47d6ca

        SHA1

        75ca0afeeed4f992cd19f261529c5c2946a54f6f

        SHA256

        751ac4da6dbab19d3cdf5a44fd3537f74660e72a598db4325523e0522caa5552

        SHA512

        adf60d25d22a7a098225a9465ed255b3f9020e532947ec84e894db0047ed27a6ef60fabb862869a47f105530d7df6d39e750a266c9eb9e20a0faf8f72a45850e

      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

        Filesize

        818KB

        MD5

        73d43241d49b7575fafc4afb3683aa3e

        SHA1

        7ccfebf8252f24980b80a59f3f7ac12de0db770a

        SHA256

        1f278dfb721f07f3010d772002d7855271031250db977a9a81535b24c7e45c59

        SHA512

        4a74d1df98383ba4588a09f00c51d1488fa49411b3a135218e4e2958673b9a9ad6ed2b5dddd279c1625833860773a7b53c701907aac5060d08ec9e3ac3cbdf94

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

        Filesize

        487KB

        MD5

        efd00b355ebc10165621b0152cc93574

        SHA1

        96288333d6b20de6645a11126a72d2ef004997e9

        SHA256

        73fe735cfa0a07f672c0673efcb104bc7485c29ed376e021183b1fa54072b5e3

        SHA512

        bf85d7865f35c257cf2b771ecc11b01d31498ba064f235582a66381b821c756e7e06bd5a73f2f1b60abf341e7501b8606c4f8e653470de26f4bf1718fa380ee3

      • C:\Windows\System32\FXSSVC.exe

        Filesize

        1.0MB

        MD5

        a883f58f270a23a16587b100dd3c4933

        SHA1

        2b8f7a9b63db5ae8ab867c7107a86503dc2da4c0

        SHA256

        e843c2d48ff1a1e12e6c921c20038291308bf55b695aff4ea98b38d938d185d6

        SHA512

        64ac41ebba677f28a682cbcd360a9388f4cee5ddf2f456313e08525cd3c73c025156c4f0ae49cc4214302b72444cfc53cee2cfd996f5837dac0359acbaec1c1e

      • C:\Windows\System32\SearchIndexer.exe

        Filesize

        1.3MB

        MD5

        fb17dd5c25836a81643736eb6e66a97e

        SHA1

        ac2cd2476df8e50042b3f1d5cb2021dba5572428

        SHA256

        a26b6359345f591135c64f1bbd1f973cd9f25824e74f2f3975e59481a70775a2

        SHA512

        dda735fd2b1dd04912fe58bb49b32b6e01a07b8b6cfc49ad8b3ede30d96063a27b04634356276bbd48acc6f4ab23a77ef90663056b9e6ce2a352c2b786e563b8

      • C:\Windows\System32\alg.exe

        Filesize

        489KB

        MD5

        67b2d1ce0dd8fb7726089def1fe0b787

        SHA1

        a3e56ecce10a5e782feab809d4b63a2e548ded76

        SHA256

        f9ad1ee6fe6a9d26a14a5aa629ec64b38cb0ac8f86072e92b6feb80e17ee03b6

        SHA512

        a18d0e346a1cd36d12d1fa9b807ec8af11aad2cb207855488d4cdc2cae35c3a79ba77c29415aa569995b7e7859679781fb29308784721c5b04b8174b1db6fe62

      • C:\Windows\System32\msdtc.exe

        Filesize

        540KB

        MD5

        0aa77de80806a542f472edb0dce4a17e

        SHA1

        8df3e09df7e85171d0aabe45be6bef414d36f164

        SHA256

        566ed33949719ec372325c828c845f94b8ca714ade47227b748b6b0410b044a8

        SHA512

        a7c302404ee241e786ea813674702070560a97cf4441ca8ef31b6ba12d370e65e236181157039612a9005ed1ef03ea0fb57ceffec8d0810ad6ecd4106b112026

      • C:\Windows\system32\msiexec.exe

        Filesize

        463KB

        MD5

        d84b344bf7925553e950bcb099930b80

        SHA1

        c5eddaeb00bf9e28232de95ec053c25069814a81

        SHA256

        28c60478899713a41852fe47805251b81a69be7bee5fd77f4cba9a0f32863353

        SHA512

        7ec4df5e723a504805bfe8c433ba6f5de42fc189e083ed3175a2c6183a61f5f8c0998e46d5d68805ed6e6378490b0c1c6ba26a3d86de3ae547d82c003e3fcf90

      • C:\Windows\system32\windowspowershell\v1.0\powershell.exe

        Filesize

        839KB

        MD5

        e8a63952b999c9578136f9a7ce6b0654

        SHA1

        00e6fe8a0d43a683d43d5d3c8c3708edee12ba7b

        SHA256

        55b097da49d177957b70829acc9e3570aa0ecbbd668a53a8059953e159db18a5

        SHA512

        2c4226eae2d1e62b759b4b2478384dc90a1985ac7b7f73eb6d9d750a2aeb5ae7247783e72b7f3156241af7510a001b817af61deb1795aa72346b658cb87deb4c

      • \??\c:\windows\system32\Appvclient.exe

        Filesize

        1.1MB

        MD5

        6b5a21eab6bd115a3a026bb73120f70b

        SHA1

        2ef3017d8456dec25305866b46c06eebcc039e2f

        SHA256

        1a1f69e7881b8b282072bbbc9dd30dba24e939b370869f7f98a1a1e0c1fddb2b

        SHA512

        25ee4c6f1737530d03c8986e13a0f3f254b6f34785fbe6f2ba892fc020c0df5ff7868ffd6b7eee6c40afc796559234a27feb958bd0dabc5b4d991eb203873102

      • memory/408-57-0x000000014000D000-0x000000014001C000-memory.dmp

        Filesize

        60KB

      • memory/408-63-0x0000000140000000-0x0000000140136000-memory.dmp

        Filesize

        1.2MB

      • memory/408-23-0x000000014000D000-0x000000014001C000-memory.dmp

        Filesize

        60KB

      • memory/728-50-0x0000000140000000-0x00000001401C2000-memory.dmp

        Filesize

        1.8MB

      • memory/728-48-0x0000000140000000-0x00000001401C2000-memory.dmp

        Filesize

        1.8MB

      • memory/1516-74-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

      • memory/1516-40-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

      • memory/1584-330-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-328-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-335-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-334-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-336-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-333-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-332-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-315-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-316-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-317-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-320-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-319-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-318-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-321-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-323-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-326-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-325-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-331-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-322-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-329-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-327-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1584-324-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

        Filesize

        64KB

      • memory/1676-0-0x00000000004BC000-0x000000000054F000-memory.dmp

        Filesize

        588KB

      • memory/1676-1-0x0000000000400000-0x000000000054F000-memory.dmp

        Filesize

        1.3MB

      • memory/1676-3-0x0000000000400000-0x000000000054F000-memory.dmp

        Filesize

        1.3MB

      • memory/1676-47-0x00000000004BC000-0x000000000054F000-memory.dmp

        Filesize

        588KB

      • memory/1676-49-0x0000000000400000-0x000000000054F000-memory.dmp

        Filesize

        1.3MB

      • memory/4104-274-0x0000000006900000-0x0000000006901000-memory.dmp

        Filesize

        4KB

      • memory/4104-285-0x00000000069E0000-0x00000000069E8000-memory.dmp

        Filesize

        32KB

      • memory/4104-263-0x0000000006D10000-0x0000000006D18000-memory.dmp

        Filesize

        32KB

      • memory/4104-231-0x0000000002380000-0x0000000002390000-memory.dmp

        Filesize

        64KB

      • memory/4104-247-0x0000000002600000-0x0000000002610000-memory.dmp

        Filesize

        64KB

      • memory/4104-268-0x00000000069B0000-0x00000000069B8000-memory.dmp

        Filesize

        32KB

      • memory/4104-266-0x00000000069C0000-0x00000000069C1000-memory.dmp

        Filesize

        4KB

      • memory/4104-265-0x00000000069D0000-0x00000000069D8000-memory.dmp

        Filesize

        32KB

      • memory/4104-271-0x00000000069A0000-0x00000000069A8000-memory.dmp

        Filesize

        32KB