Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 12:20

General

  • Target

    https://www.mediafire.com/file/5ah20c6gpr8zpt5/Granny.rar/file

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.115:4782

Mutex

d4f1b642-ba7a-40a5-869d-d572284e9b2b

Attributes
  • encryption_key

    8B6B5DF09D5D290A4A395D941B0F5CEA30B93E88

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SteamSettings

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/5ah20c6gpr8zpt5/Granny.rar/file
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8831b46f8,0x7ff8831b4708,0x7ff8831b4718
      2⤵
        PID:4888
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
        2⤵
          PID:1780
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1340
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
          2⤵
            PID:3592
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
            2⤵
              PID:1656
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
              2⤵
                PID:4592
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
                2⤵
                  PID:624
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                  2⤵
                    PID:2968
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5016
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                    2⤵
                      PID:5028
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
                      2⤵
                        PID:1320
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8
                        2⤵
                          PID:4608
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                          2⤵
                            PID:3428
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3180
                          • C:\Program Files\7-Zip\7zFM.exe
                            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Granny.rar"
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:884
                            • C:\Users\Admin\AppData\Local\Temp\7zO4734B537\Granny.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zO4734B537\Granny.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:760
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "SteamSettings" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                4⤵
                                • Creates scheduled task(s)
                                PID:4384
                              • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:5168
                                • C:\Windows\SYSTEM32\schtasks.exe
                                  "schtasks" /create /tn "SteamSettings" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                  5⤵
                                  • Creates scheduled task(s)
                                  PID:5384
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
                            2⤵
                              PID:5220
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
                              2⤵
                                PID:5228
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                                2⤵
                                  PID:5476
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
                                  2⤵
                                    PID:5484
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,408478948384970639,10982854029772384035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5156 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5184
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:5108
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4776

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      f35bb0615bb9816f562b83304e456294

                                      SHA1

                                      1049e2bd3e1bbb4cea572467d7c4a96648659cb4

                                      SHA256

                                      05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

                                      SHA512

                                      db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      1eb86108cb8f5a956fdf48efbd5d06fe

                                      SHA1

                                      7b2b299f753798e4891df2d9cbf30f94b39ef924

                                      SHA256

                                      1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

                                      SHA512

                                      e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                      Filesize

                                      360B

                                      MD5

                                      3daa728658a36386fe0cebeae291405a

                                      SHA1

                                      2c2fee0c0ce336b033804504245baccae8291323

                                      SHA256

                                      ee457a06fa7597e47d954fd68bd085d370e8e92741af22beb61ab531766956ff

                                      SHA512

                                      1f877225b3563149836eb52fdea1a026c790ce6f8e127540a12926daeff87265dd92352b2e076a063c2a34874263d52aa25c44c58e036c80e3ac7627c200e045

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      2KB

                                      MD5

                                      a9a089e3bd0244c88449e5b83b80dffb

                                      SHA1

                                      7522de64283916d39bce984779e6f6c3411aa0af

                                      SHA256

                                      394d3807212040a31b9d35f965fd4597692c616cb2b20d8917d3e65814cd66d4

                                      SHA512

                                      3c467ffa4c3185baed60ae2f645f8d166ba10fb58a80410aa1db3c4849357d30ecd17023bbe86cc744619b76c86ca8b32b4f1068135a370cd218572056e2c5a0

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      d95f5bc7638a20598449b2b15fffb7e9

                                      SHA1

                                      b29ac512afd5eb1b2734bc2ffc3d76cd2b9b76ce

                                      SHA256

                                      efa51d53d7b6b7f7fc1ea70030ebf4ce3be56eecdfdc3fa3ec7cb13b6df8b0b7

                                      SHA512

                                      872b9fe2ef495586827bccec9f8699d568e66ccb985c12f8a38293a421244e1cc4c73881a63b117b8e0a7bac809eb784de8cfa540af84eb8337060d0192588f1

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      8KB

                                      MD5

                                      45e5b5485af7658f972688db06ee4967

                                      SHA1

                                      a249a0d21b3130c4624b7f8ca93a8fa4035bbd59

                                      SHA256

                                      395afa52f6b7c8fe1fae47d611ab2b9ed5de5e8ac6e89e9e18fcae4213593544

                                      SHA512

                                      2fb7c28f5fa2866acd45148eabf664b34a3ad826fe2031f9c8771e508058dbbbe408fc02a6ea6112d76fa1801dbf4ff07f535424dc89b65b31b04c349783943e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      a52a0b2a1c969f82013f0434865fead2

                                      SHA1

                                      2b411e8fbe8bdeb13441294bc6a8a1fbf79cccf1

                                      SHA256

                                      53f97bcd3377e46fc4377987233ff973628c58473ff06b6971ed8450a33ea3df

                                      SHA512

                                      33eba5c1d2f521e5c938890aae92896da9bea2e253c464e8c7c8e1094cff476f04959ae8d4edd6e370a45564a4a2a390daae37f18670531a541e1489ae62da72

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      6ab3d69c4f99ac0ecefb004821e7a0f6

                                      SHA1

                                      26afd7027779e193d916fe82408f857e6b9579f7

                                      SHA256

                                      4801a14be6f8943bb8c08576eab4a99aebe6f25a19e4b9fdcb6361633984262a

                                      SHA512

                                      a85f232c99ea9a6ea4e745cc828b09837aef900611f8ecef624b82ccd5bbe43d8757877aa0d30555e031a42cd2e0103e56ed06c06389fcb6834a067c2624ab41

                                    • C:\Users\Admin\AppData\Local\Temp\7zO4734B537\Granny.exe

                                      Filesize

                                      3.2MB

                                      MD5

                                      586b48faf6904fb302221c941d9515f6

                                      SHA1

                                      1d2ebf8a8b43be60c78f70aa1c8c7ff13244c4b1

                                      SHA256

                                      8c894d73c750dc2a43d427a060c327a2b31174ebd33bc4e8884bbd097fa0a0d6

                                      SHA512

                                      ff34e13a603a7fb761680ee4f4bc2e4233ba477c58f40a6ecc0f551b460c428c1bdd5474d12ba6de4fe184802bf74de3d946c567bdb97f6fddae547bee0b85cb

                                    • C:\Users\Admin\Downloads\Granny.rar

                                      Filesize

                                      1.1MB

                                      MD5

                                      c6351d30bc4ebc097ecbebc8dce7ed53

                                      SHA1

                                      88c7c5d8a7f29e0c5ccfcb8eb05cbff4702efd64

                                      SHA256

                                      91d84bce4cd4bbf71eb473b028ff72c9f279008f4af5133919f15e1758cb5fa6

                                      SHA512

                                      35a629ee7e6f11616a68ff6fe6ecca2e9a38258c783f105cd534c7f81abd5b7ba8f7c70ff2bd943ff72c525f5e51a78531c078256d21e93780c603e89b83b1e7

                                    • \??\pipe\LOCAL\crashpad_3284_ZMGKWKWHFKYZLLNG

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • memory/760-117-0x00007FF870AF0000-0x00007FF8715B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/760-126-0x00007FF870AF0000-0x00007FF8715B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/760-119-0x000000001BF30000-0x000000001BF40000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/760-118-0x0000000000F10000-0x000000000124E000-memory.dmp

                                      Filesize

                                      3.2MB

                                    • memory/5168-127-0x00007FF870AF0000-0x00007FF8715B1000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/5168-128-0x000000001B270000-0x000000001B280000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/5168-131-0x000000001B9C0000-0x000000001BA10000-memory.dmp

                                      Filesize

                                      320KB

                                    • memory/5168-132-0x000000001BAD0000-0x000000001BB82000-memory.dmp

                                      Filesize

                                      712KB

                                    • memory/5168-137-0x000000001C1C0000-0x000000001C6E8000-memory.dmp

                                      Filesize

                                      5.2MB

                                    • memory/5168-162-0x00007FF870AF0000-0x00007FF8715B1000-memory.dmp

                                      Filesize

                                      10.8MB