Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 11:21

General

  • Target

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe

  • Size

    502KB

  • MD5

    a9c9735f6e34482c1cdd09e347a98787

  • SHA1

    6214e43cdc3fd17978955abf9c01a8d8c3ea791e

  • SHA256

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

  • SHA512

    084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

  • SSDEEP

    6144:sTEgdc0YeX1uRabMR0FdOWbYZTR9UbGzcEKVb8F9ywLlqlHcTR3t:sTEgdfYzRa9uza6FL4lHcdt

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

C2

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes
  • encryption_key

    25B2622CE0635F9A273AB61B1B7D7B94220AC509

  • install_name

    svhoste.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhoste

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
    "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4468
    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zx0nhfyhfb7N.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1096
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1448
          • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3308
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4940
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4q0gx4uBoFKB.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3972
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1796
                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2572
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2588
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R4PxM8KBaANE.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2312
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3128
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2932
                      • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:3240
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3492
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JabGP22v9oZs.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3276
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4948
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4816
                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:4040
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1200
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GDQWehuDCtL4.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1268
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1852
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4556
                                  • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:2372
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4072
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P6QwwhnwI2Tk.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3972
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:452
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3832
                                        • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:4144
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1452
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHbBDYnemUfW.bat" "
                                            15⤵
                                              PID:3248
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:2572
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1952
                                                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4892
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2312
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Q2zZqROt2L5.bat" "
                                                    17⤵
                                                      PID:4832
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:696
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:2036
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:980
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4476
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RM1MlnCZjreu.bat" "
                                                            19⤵
                                                              PID:4328
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3660
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4708
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:3496
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:632

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhoste.exe.log

                            Filesize

                            2KB

                            MD5

                            8f0271a63446aef01cf2bfc7b7c7976b

                            SHA1

                            b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                            SHA256

                            da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                            SHA512

                            78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                          • C:\Users\Admin\AppData\Local\Temp\4q0gx4uBoFKB.bat

                            Filesize

                            208B

                            MD5

                            d88efb77dd9e32ec588303c6abc68760

                            SHA1

                            5a65a6a214138abe890d37ce2d4d26943025575c

                            SHA256

                            2517b90cce6b8d63e39451a047471f6b4fabe8a3d3f290a93858670a7e25c1a6

                            SHA512

                            eddea8c333968382a469140bce825d8b16850bc14b11894f11d06166a946f7330607fe6888a281946ff699679a30ecd2c1ad8bd722c9f506529c29f28ae1b1ce

                          • C:\Users\Admin\AppData\Local\Temp\5Q2zZqROt2L5.bat

                            Filesize

                            208B

                            MD5

                            63c944ded67fb00d81343c600225d058

                            SHA1

                            f868f2cef8f2f77f9a25f1ca7fe16d05b3bfade8

                            SHA256

                            9a054d014371e126b3a00027d3746a5e430560b8f7fa58265efcc750aae98692

                            SHA512

                            e520005bc301347b65c57faf447984dceac54ff582889cc8b987eac83a13cb94682adc3090cb2216bed3d6026b6b4da20d6e2b8aecb9e8a0df41773316c5143d

                          • C:\Users\Admin\AppData\Local\Temp\GDQWehuDCtL4.bat

                            Filesize

                            208B

                            MD5

                            686a582ce68a50acda7cbcaf66482609

                            SHA1

                            dcc88900e9d834b57da8e7a25c271b92457eb53d

                            SHA256

                            0208ba8ff4b6d6d6ad5f82febf5f218cea6557ffe27a4e5d06b1cfc7bb8f7102

                            SHA512

                            5ff0baf155cd615da3a899ef491bace03725fb8e0ffc3d64830cb5dc4d48cbeb224535aec6d325299aec2919cd5129ac7688d63b2cb68637f64ad246ad76a722

                          • C:\Users\Admin\AppData\Local\Temp\HHbBDYnemUfW.bat

                            Filesize

                            208B

                            MD5

                            9cb87e7559d092f9ffae35ba8409cbe0

                            SHA1

                            91ad81b1bb8b41ccd9067b57ccb05fb9f14146c1

                            SHA256

                            082a559ecf2cc19980e8d0ece67b63f2bf5566f7ad03f814297fa1a94fc34a09

                            SHA512

                            ac5cdb0d40ab252348170ac47486034bf019ad04bd0e50e2d5f7b98c504182ccd2bc8a97f7f24342d73b9e8c3f53e7a410599a50eceaa30d31c623deca19bc0f

                          • C:\Users\Admin\AppData\Local\Temp\JabGP22v9oZs.bat

                            Filesize

                            208B

                            MD5

                            4bb96806223a3fe87e554430aa37f111

                            SHA1

                            7b3f618c8f7a112d745f1e785e268e1735d1893e

                            SHA256

                            3e66304f8e8690d84bf438da8fc25b75f9a8e2775323408815f9105bc350daf6

                            SHA512

                            bf826219dd87504d94aed741c99cedcf4ab0597416571c20787cee0ba6d3af5dd9943ebbd0045e3a2afc7b909fe2d175b64dab423957b32194a338a0ea6b295c

                          • C:\Users\Admin\AppData\Local\Temp\P6QwwhnwI2Tk.bat

                            Filesize

                            208B

                            MD5

                            f075d9684ae074640bc616f6fb74bd7c

                            SHA1

                            298ab00a661b2bc4187a67e6fb6d847ae2a6edc0

                            SHA256

                            a62ed333bf393986b1e1357c1addcad75fd06cfc0b7910a816f5d988c4d37512

                            SHA512

                            e27b17863de2fa536a19561445258293cce6c1e6bc0325c8cd34324e321866025c028fd068105c25f4460d4d6331f61116d20e26ee49620f36c0aa4c9cde34ae

                          • C:\Users\Admin\AppData\Local\Temp\R4PxM8KBaANE.bat

                            Filesize

                            208B

                            MD5

                            d73a2dd1b68b51783f1d60a64b970a2d

                            SHA1

                            0e499a0a0b2b8b2a4e596f486be557683a3bc6c5

                            SHA256

                            5341fe06f7901975a7a8ca5aaeb9297f07f6b755c7807e3c804ded4d87a0047e

                            SHA512

                            a49894344f3d750ec714bb280942a740f0d5be1e0155b91fb3b834176a7c7eca0201519ea813d30ab1992385b0bc533e2fa1365929a31dc0f6fad88bff51cbcd

                          • C:\Users\Admin\AppData\Local\Temp\RM1MlnCZjreu.bat

                            Filesize

                            208B

                            MD5

                            06a2aa0242faaef306e723f1b42afcaa

                            SHA1

                            f8fc39b4d45d82156115f9904f579549eed7de6c

                            SHA256

                            79814ccb32449de8b41aea4530433b3939da886372ce7e20dbbda1e00241686d

                            SHA512

                            446c2731eb4f0c6e0255f913a771fbd6ed34708206fbc4ba92f0d4b77ebbf8597662dc44f51b760da8a6bdc34498cc666c760db737ead5f118658330bc682afc

                          • C:\Users\Admin\AppData\Local\Temp\zx0nhfyhfb7N.bat

                            Filesize

                            208B

                            MD5

                            1de1ec016dc73d2149ad63fe276a06de

                            SHA1

                            8cf5b0a13ec43c90288b349a085bb83e55315175

                            SHA256

                            9f5d28801db2ff35e46bfe52b38589a26b0388743ea2c8be8c4777691ac96ee8

                            SHA512

                            2300cb611db0a81883ce47e22dbce1385c1f7774d6cf1ada44fea5901e93ef6ae79ae5e1edaf0490256c235c9532e96526cf865760647b2524040edf07288a07

                          • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

                            Filesize

                            502KB

                            MD5

                            a9c9735f6e34482c1cdd09e347a98787

                            SHA1

                            6214e43cdc3fd17978955abf9c01a8d8c3ea791e

                            SHA256

                            533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

                            SHA512

                            084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

                          • memory/732-17-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/732-12-0x000000001BF30000-0x000000001BFE2000-memory.dmp

                            Filesize

                            712KB

                          • memory/732-11-0x000000001BE20000-0x000000001BE70000-memory.dmp

                            Filesize

                            320KB

                          • memory/732-10-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/732-8-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4776-0-0x00007FFF98C73000-0x00007FFF98C75000-memory.dmp

                            Filesize

                            8KB

                          • memory/4776-9-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4776-2-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4776-1-0x00000000006F0000-0x0000000000774000-memory.dmp

                            Filesize

                            528KB