Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:32

General

  • Target

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe

  • Size

    502KB

  • MD5

    a9c9735f6e34482c1cdd09e347a98787

  • SHA1

    6214e43cdc3fd17978955abf9c01a8d8c3ea791e

  • SHA256

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

  • SHA512

    084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

  • SSDEEP

    6144:sTEgdc0YeX1uRabMR0FdOWbYZTR9UbGzcEKVb8F9ywLlqlHcTR3t:sTEgdfYzRa9uza6FL4lHcdt

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

C2

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes
  • encryption_key

    25B2622CE0635F9A273AB61B1B7D7B94220AC509

  • install_name

    svhoste.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhoste

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
    "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:624
    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3908
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7tXgDqDk2qaz.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3312
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2380
          • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2152
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xrG2qCVkFpqV.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3788
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1352
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2668
                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3704
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3000
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFiCu3fQFCtD.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2844
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:956
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1084
                      • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1792
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4768
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JfKMe0GKWr79.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1628
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1600
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4624
                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:724
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1364
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7nADx8XvX1Bb.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3612
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1864
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4948
                                  • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:3008
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2300
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaDmxv41b56a.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4856
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:720
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4056
                                        • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:4544
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2492
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwEEtXLsAZqb.bat" "
                                            15⤵
                                              PID:2100
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4292
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1016
                                                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2156
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1640
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\93hTxNdAJOO3.bat" "
                                                    17⤵
                                                      PID:408
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:2312
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3324
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3912
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4924
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wgL4WoFSu7A.bat" "
                                                            19⤵
                                                              PID:3220
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:840
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1916
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:4480
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:216

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhoste.exe.log

                            Filesize

                            2KB

                            MD5

                            8f0271a63446aef01cf2bfc7b7c7976b

                            SHA1

                            b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                            SHA256

                            da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                            SHA512

                            78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                          • C:\Users\Admin\AppData\Local\Temp\4wgL4WoFSu7A.bat

                            Filesize

                            208B

                            MD5

                            b9883cf0112971c26af13edc411b1b1a

                            SHA1

                            670ac6212942d660d8e2b10ff00403ecb293e1f5

                            SHA256

                            eccad92618eb16c8912c9a03fc41eac7da23b31624f79a5368a407b60ebe50bb

                            SHA512

                            de3dd69d44dddf1500fe08593f553adb4725d31215bb21cc557aaa90a33ce0ba62ee5df39f8c03db5421ba903d931e8a4ae27beb37e755b23355f579d397c0ca

                          • C:\Users\Admin\AppData\Local\Temp\7nADx8XvX1Bb.bat

                            Filesize

                            208B

                            MD5

                            eedc4263f34ca8d8f63f97d61a8dd079

                            SHA1

                            59760f296039fda9851d903749e798dbcada1706

                            SHA256

                            ba826b7c5834de243a59885fd33629c15ee1c053db1a27972ee1809c9c0e2860

                            SHA512

                            05a4bb9290152ce56da763e92e4dec9a0a721fd256a784799ef254d4ba2a1d38644245933a2a39d00d31cdc94a9fb61091dd54cfded5d8a06d6881044c8d9883

                          • C:\Users\Admin\AppData\Local\Temp\7tXgDqDk2qaz.bat

                            Filesize

                            208B

                            MD5

                            8588bf38e2625620b74c238e27ba848c

                            SHA1

                            c9e971dc7dc61b82ed3fbc75b7cfb51c824f56b5

                            SHA256

                            bc6fda015ec8a8749ea3d477e235449db877f5f0a4e6974612f343e6be23da67

                            SHA512

                            4fb05d3462f63c59baf925f2133774c8dba188189eda208a12df9f22c31fb51a4ecaa575386158b22b05b23f6dd1f453918a87d10a38a89d3d96f9c1333e7617

                          • C:\Users\Admin\AppData\Local\Temp\93hTxNdAJOO3.bat

                            Filesize

                            208B

                            MD5

                            29c4fa8c3cca5ffeb27fdb140544c0f7

                            SHA1

                            f28df54a10f7cdf161f0d81b5541cdee25749daa

                            SHA256

                            28d3477376d82d96962d206751d55d0f92b5b6b3d5c937e55549d49ea4c91f6a

                            SHA512

                            ecac1f5417df87e75792704b58f21a06e6900015afe0624cf934a271b472f58ad3a4730591f230970e9e15ae10e834eef12f35c9a212e9c2f2a38475fb9364f7

                          • C:\Users\Admin\AppData\Local\Temp\CFiCu3fQFCtD.bat

                            Filesize

                            208B

                            MD5

                            850d8af00e552cba49c45101269c4b0f

                            SHA1

                            59757969e52247427c41cb6f6ce7da4d09cd77a0

                            SHA256

                            6e1bb35b88572d405f5b48e61252f87c20354ecb8dbb5ddf5adea6343f466745

                            SHA512

                            60aeeab42693541df7093ade00d6c722d6cd0a3db9ecc10820b5dbb5ac2078b2a3f62ff7083335c064b68be8821a387c7fb606707ea3fa03fa68cca8b635159e

                          • C:\Users\Admin\AppData\Local\Temp\JfKMe0GKWr79.bat

                            Filesize

                            208B

                            MD5

                            7340e1fd3def70df767f8da2e40d46d9

                            SHA1

                            bef7071fe81820ea0d0a71f79bdffa7a60f3fa4e

                            SHA256

                            2d48badc3b15154e05a25156039f216ba8f8b2c620ab20746f47692abe860c4d

                            SHA512

                            dbe019f2fd4699c3228b9ffa64113b57a97000acb4970c872ff30be8e6f87d1933f19f770197d84832847e259c9222fcf523e7a1d945023a33a436e12fce00c8

                          • C:\Users\Admin\AppData\Local\Temp\PaDmxv41b56a.bat

                            Filesize

                            208B

                            MD5

                            6667c80ed2c83a77220b6a34ae754a01

                            SHA1

                            9ad643a3e173520bb850ea79cb45347ea3899ec6

                            SHA256

                            e23d7c922f0b590b3f7857f0e8e9cafbe0cab0919893206da0c1ea0e3cab6486

                            SHA512

                            72fea0c8241fdd7ecbe4ec7aae060ca459e083f3d2df048b502583628231f8d305eb746d800b4b4d1985d8a6e2dd0c55ca365b0978f3740cc3f7649b26d3f6c1

                          • C:\Users\Admin\AppData\Local\Temp\rwEEtXLsAZqb.bat

                            Filesize

                            208B

                            MD5

                            a54473859c7f7a602daf1b622f595ec0

                            SHA1

                            593f52411be14c0059af4685d67524ecfdd9f0b6

                            SHA256

                            7a9fb65c28ee9b4b659dd74cea04fdf3d892584566a99b8b0b4a0faa926b6d9c

                            SHA512

                            2a8205398ecfb2ed258b69c18544fe4e88e0e54a0a260a27b093e3006091caa307e37a528946dc48863b3176513c5850a3c0e9e24c33744c374e4d91b4dd2bdd

                          • C:\Users\Admin\AppData\Local\Temp\xrG2qCVkFpqV.bat

                            Filesize

                            208B

                            MD5

                            388f5124ee25300f0c03f2efe48c89bd

                            SHA1

                            43a0cdde230a58ea524edc6becc43b710bf50ac7

                            SHA256

                            8f72b5b928b2eefeddb6948fc2f487178915b9f9d0c644eb552294115669b4cd

                            SHA512

                            57ca4155f158daa22314bd9f8c9201c4f0ef572dcc7224d543644a3e03957ebc106d56bcbcc72ef5f48bad292243775d5da4ac55113419b0846fe53017aff689

                          • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

                            Filesize

                            502KB

                            MD5

                            a9c9735f6e34482c1cdd09e347a98787

                            SHA1

                            6214e43cdc3fd17978955abf9c01a8d8c3ea791e

                            SHA256

                            533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

                            SHA512

                            084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

                          • memory/212-0-0x00007FF94BEC3000-0x00007FF94BEC5000-memory.dmp

                            Filesize

                            8KB

                          • memory/212-2-0x00007FF94BEC0000-0x00007FF94C981000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/212-9-0x00007FF94BEC0000-0x00007FF94C981000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/212-1-0x0000000000440000-0x00000000004C4000-memory.dmp

                            Filesize

                            528KB

                          • memory/724-7-0x00007FF94BEC0000-0x00007FF94C981000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/724-17-0x00007FF94BEC0000-0x00007FF94C981000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/724-12-0x000000001BEB0000-0x000000001BF62000-memory.dmp

                            Filesize

                            712KB

                          • memory/724-11-0x000000001B780000-0x000000001B7D0000-memory.dmp

                            Filesize

                            320KB

                          • memory/724-10-0x00007FF94BEC0000-0x00007FF94C981000-memory.dmp

                            Filesize

                            10.8MB