Analysis

  • max time kernel
    68s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 10:58

General

  • Target

    https://mega.nz/file/sn1DBLJD#sN_N51-SjhbxAoe65QdXFW5k_LCk3OO3gnRvYMIyKWc

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/sn1DBLJD#sN_N51-SjhbxAoe65QdXFW5k_LCk3OO3gnRvYMIyKWc
    1⤵
      PID:3548
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4908,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:1
      1⤵
        PID:208
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4852,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:1
        1⤵
          PID:228
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5284,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
          1⤵
            PID:3792
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:8
            1⤵
              PID:5032
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5476,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
              1⤵
                PID:3540
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5944,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8
                1⤵
                  PID:548
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5976,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1
                  1⤵
                    PID:1548
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --field-trial-handle=5968,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
                    1⤵
                      PID:1552
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6368,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8
                      1⤵
                        PID:1692
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x408 0x3d0
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4336
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6932,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:8
                        1⤵
                          PID:4992
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=4428,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:1
                          1⤵
                            PID:4792
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7188,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:8
                            1⤵
                              PID:1212
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7352,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
                              1⤵
                                PID:3004
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5184
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\" -spe -an -ai#7zMap26532:132:7zEvent10442
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:5232
                                • C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe
                                  "C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe"
                                  1⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Suspicious use of WriteProcessMemory
                                  PID:5396
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5532
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5572
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s45w.0.bat" "
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:6040
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout 3
                                      3⤵
                                      • Delays execution with timeout.exe
                                      PID:6096
                                    • C:\ProgramData\active\LZMYBCTLTD.exe
                                      "C:\ProgramData\active\LZMYBCTLTD.exe"
                                      3⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious use of WriteProcessMemory
                                      PID:5136
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5184
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1508
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LZMYBCTLTD" /tr C:\ProgramData\active\LZMYBCTLTD.exe /f
                                        4⤵
                                        • Creates scheduled task(s)
                                        PID:5276
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6804,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:8
                                  1⤵
                                    PID:6112
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:5292
                                    • C:\Windows\system32\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\x64\PyInjector-x64.dll
                                      2⤵
                                        PID:5720

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                      Filesize

                                      2KB

                                      MD5

                                      968cb9309758126772781b83adb8a28f

                                      SHA1

                                      8da30e71accf186b2ba11da1797cf67f8f78b47c

                                      SHA256

                                      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                      SHA512

                                      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      9bfe53f0db0725865f9a035a447f826a

                                      SHA1

                                      9ad30cc73b38908f8559e7bfe36b8ef266c42b80

                                      SHA256

                                      fbaded8db28eb621d8fcf0a949cb3234be5bc335f66405de5e39766d817e4601

                                      SHA512

                                      d848f11f69ed03d4f29ee4bcadf61138103401a4e122779f3eca0c69f31c4d5c8f6aca1c58d95dcb8b14693eadc84f20ff2d40c63b9ad1849208f28dd8da183a

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      18KB

                                      MD5

                                      967224b7af46e836d972047a08ec598a

                                      SHA1

                                      95a9e33fcd35403fe8c424881ae5e83bbd5a3f75

                                      SHA256

                                      9c5cdbdb0f589cec970dc3ff966c744ad57397cb04279e2ba8f91584a9f60acd

                                      SHA512

                                      dc731607ee4a2e0a8c0ab2d3f2f55f3820b5c65634344f0dc7be3921d94671c3d225d2b1441df076c2f65cf73733cbb595c8d7a3141ac036c7558b3dd3212f33

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kp4c2hv.dok.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • C:\Users\Admin\AppData\Local\Temp\s45w.0.bat

                                      Filesize

                                      176B

                                      MD5

                                      6d38c2a06767c15757cb5952aa8df1a0

                                      SHA1

                                      181d86067e6d5d1589e188e40b798296db118d30

                                      SHA256

                                      42bb331d2e8aac44651e04cf4e7fb8e788dac54dd115cb6f24c6e93378fd8311

                                      SHA512

                                      8776740dfbdaa20b678973228f8c1a84b65ae4abc72d9c5404def7f5f53eb2db5820caa12525e1b8caf92d3e5e8aa8d0ad020d5842c7b1cd6a8e601a133f986f

                                    • C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\x64\PyInjector-x64.dll

                                      Filesize

                                      9KB

                                      MD5

                                      3134f8652d4229607bffe7b993f19d15

                                      SHA1

                                      5c51ae7856aa80e3db1a582e6870ece9f9a81485

                                      SHA256

                                      0839d2cba232d4219b7e70bc5c8eaeff53a2719750b1c0dabd2b68bc4099274d

                                      SHA512

                                      82c1514f8579ee9a95d757754e2ae6c832930bd72b8e7fea6be68c36f9857a9424e2b6776d54d21edaef5085f1699861bba2a459eaf54eb60677a760a61cb8ee

                                    • memory/1508-127-0x000000006FF40000-0x000000006FF8C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/5136-95-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-92-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-142-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-141-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-94-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-93-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5136-96-0x00000000004E0000-0x0000000000B69000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5184-117-0x000000006FF40000-0x000000006FF8C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/5184-97-0x0000000005EB0000-0x0000000006204000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/5396-17-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-16-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-14-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-12-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-18-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-15-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-87-0x00000000008B0000-0x0000000000F39000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5396-13-0x00000000774F4000-0x00000000774F6000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/5532-21-0x0000000004C90000-0x0000000004CB2000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/5532-57-0x000000006FF40000-0x000000006FF8C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/5532-73-0x0000000007190000-0x000000000719E000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/5532-23-0x0000000005500000-0x0000000005566000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/5532-22-0x00000000053A0000-0x0000000005406000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/5532-24-0x0000000005670000-0x00000000059C4000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/5572-63-0x0000000007940000-0x00000000079E3000-memory.dmp

                                      Filesize

                                      652KB

                                    • memory/5572-45-0x0000000007900000-0x0000000007932000-memory.dmp

                                      Filesize

                                      200KB

                                    • memory/5572-68-0x00000000080B0000-0x000000000872A000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/5572-69-0x0000000007A60000-0x0000000007A7A000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/5572-56-0x0000000006D00000-0x0000000006D1E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/5572-72-0x0000000007C60000-0x0000000007C71000-memory.dmp

                                      Filesize

                                      68KB

                                    • memory/5572-71-0x0000000007CE0000-0x0000000007D76000-memory.dmp

                                      Filesize

                                      600KB

                                    • memory/5572-70-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/5572-46-0x000000006FF40000-0x000000006FF8C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/5572-43-0x0000000006730000-0x000000000674E000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/5572-44-0x0000000006760000-0x00000000067AC000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/5572-76-0x0000000007D80000-0x0000000007D88000-memory.dmp

                                      Filesize

                                      32KB

                                    • memory/5572-75-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/5572-74-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/5572-20-0x0000000005830000-0x0000000005E58000-memory.dmp

                                      Filesize

                                      6.2MB

                                    • memory/5572-19-0x00000000051C0000-0x00000000051F6000-memory.dmp

                                      Filesize

                                      216KB