Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 08:22

General

  • Target

    2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe

  • Size

    17.5MB

  • MD5

    1603ae955d010896283442534a8ad39c

  • SHA1

    90101b5164c138f227d7add871c1f629bd6d083d

  • SHA256

    34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09

  • SHA512

    e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e

  • SSDEEP

    98304:E33JumYT82ylgsN0Nbh0pgnu99UHxh+VU1KSmv+4mn:A8hggIuh+VUvmmn

Malware Config

Extracted

Family

vidar

Version

11

Botnet

346a77fbabba142b23c256004b5a7c5d

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

  • Detect Vidar Stealer 16 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Power Settings 1 TTPs 12 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 19 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_1603ae955d010896283442534a8ad39c_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\ProgramData\HCFCAAEBGC.exe
        "C:\ProgramData\HCFCAAEBGC.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2344
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            5⤵
              PID:4484
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            4⤵
            • Launches sc.exe
            PID:388
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            4⤵
            • Launches sc.exe
            PID:4392
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            4⤵
            • Launches sc.exe
            PID:2504
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            4⤵
            • Launches sc.exe
            PID:3560
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            4⤵
            • Launches sc.exe
            PID:2588
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4972
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:5032
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            4⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3352
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
            4⤵
            • Launches sc.exe
            PID:4852
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
            4⤵
            • Launches sc.exe
            PID:2580
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            4⤵
            • Launches sc.exe
            PID:3100
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
            4⤵
            • Launches sc.exe
            PID:3344
        • C:\ProgramData\CGCFBFBGHD.exe
          "C:\ProgramData\CGCFBFBGHD.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFHIIDHJEBF" & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3244
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2312
    • C:\ProgramData\GoogleUP\Chrome\Updater.exe
      C:\ProgramData\GoogleUP\Chrome\Updater.exe
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:1644
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:4948
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:2956
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:3268
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:3432
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:2760
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4144
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:5036
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:532
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2384
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\ProgramData\GoogleUP\Chrome\Updater.exe
            "C:\ProgramData\GoogleUP\Chrome\Updater.exe"
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2296
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3524
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                  PID:2580
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                4⤵
                • Launches sc.exe
                PID:756
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                4⤵
                • Launches sc.exe
                PID:4896
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                4⤵
                • Launches sc.exe
                PID:4740
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                4⤵
                • Launches sc.exe
                PID:2608
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                4⤵
                • Launches sc.exe
                PID:1936
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:1052
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:4308
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:312
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                4⤵
                • Power Settings
                • Suspicious use of AdjustPrivilegeToken
                PID:4804
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1220
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:724
        • C:\Users\Admin\AppData\Roaming\service.exe
          C:\Users\Admin\AppData\Roaming\service.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4448

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\CGCFBFBGHD.exe

          Filesize

          5.4MB

          MD5

          925ec45b5ac88ab7af039190589204b9

          SHA1

          c71158e158d9b593be3187340c731cab5f14ad98

          SHA256

          419901e7e1747a9c413e657920429ce1d31e1b5af24e68a7dd79629066118133

          SHA512

          089ade1924ffc617670cac36e90d2c302d5b1d9e9edb1501fb0ba2c82ef530dae019b037923cdc45482998fec83fc0c5256f1fc55f22ad4b386721432cd96890

        • C:\ProgramData\HCFCAAEBGC.exe

          Filesize

          5.6MB

          MD5

          2eea3ddbfc81544b54a4ac5028a30805

          SHA1

          b57ad8495421c6bc56498d494a99b4e0cbfabdea

          SHA256

          ab043bb5ec1911f462c0e6341efb93c2760f097becc0c01ecbd02e5949b10025

          SHA512

          0b87ff6eb029675c2b6a9af0136270cb0cfcced04f53756dd35983962b46dbd79cc6ffc679ea3f84b5c6b6f25df07af886ddb3c8a770dfa31fd5b5a522cf9f79

        • C:\ProgramData\mozglue.dll

          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        • C:\ProgramData\nss3.dll

          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb3a33gr.o31.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Windows\TEMP\pjjtwoljkwri.sys

          Filesize

          14KB

          MD5

          0c0195c48b6b8582fa6f6373032118da

          SHA1

          d25340ae8e92a6d29f599fef426a2bc1b5217299

          SHA256

          11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

          SHA512

          ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          4KB

          MD5

          bdb25c22d14ec917e30faf353826c5de

          SHA1

          6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

          SHA256

          e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

          SHA512

          b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          b42c70c1dbf0d1d477ec86902db9e986

          SHA1

          1d1c0a670748b3d10bee8272e5d67a4fabefd31f

          SHA256

          8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

          SHA512

          57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          2b24135c275cd88473601b97234e4c4d

          SHA1

          5aac75438f222f430ab9b95f80f22a5626c498fa

          SHA256

          f66b5a12ca819afeb838fe912093d4c3cab6287fddad1ae516052a83a35b8983

          SHA512

          274f62312c4734c8ea7ec02411a3f0e179871b76660f487a3b0a7b9934675e414ca5bc7f3bf89d133aca52b947e8e309cdc3c5fa066e47516ce55414e498ffbd

        • C:\Windows\system32\drivers\etc\hosts

          Filesize

          3KB

          MD5

          00930b40cba79465b7a38ed0449d1449

          SHA1

          4b25a89ee28b20ba162f23772ddaf017669092a5

          SHA256

          eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

          SHA512

          cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

        • memory/724-197-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-193-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-189-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-187-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-194-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-195-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-196-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-190-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-191-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-185-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-192-0x0000000000C70000-0x0000000000C90000-memory.dmp

          Filesize

          128KB

        • memory/724-188-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-186-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/724-199-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

        • memory/764-125-0x0000000000400000-0x0000000000C35000-memory.dmp

          Filesize

          8.2MB

        • memory/1980-75-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-20-0x0000000024A20000-0x0000000024C7F000-memory.dmp

          Filesize

          2.4MB

        • memory/1980-268-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-1-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-4-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-7-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-8-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-17-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-18-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-34-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-35-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-51-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-52-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-74-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-0-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-82-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-86-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/1980-87-0x0000000000E00000-0x0000000001075000-memory.dmp

          Filesize

          2.5MB

        • memory/2224-223-0x00000237F0DE0000-0x00000237F0E95000-memory.dmp

          Filesize

          724KB

        • memory/2344-113-0x00007FF6ADE60000-0x00007FF6AE9C8000-memory.dmp

          Filesize

          11.4MB

        • memory/2600-227-0x00007FF6D15B0000-0x00007FF6D2118000-memory.dmp

          Filesize

          11.4MB

        • memory/3388-180-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-177-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-178-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-179-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-184-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/3388-181-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

        • memory/4072-137-0x000001F167220000-0x000001F167242000-memory.dmp

          Filesize

          136KB

        • memory/4180-144-0x00007FF6D7FF0000-0x00007FF6D8B58000-memory.dmp

          Filesize

          11.4MB

        • memory/4996-165-0x0000021BDFDD0000-0x0000021BDFE85000-memory.dmp

          Filesize

          724KB

        • memory/4996-171-0x0000021BE0010000-0x0000021BE0016000-memory.dmp

          Filesize

          24KB

        • memory/4996-170-0x0000021BDFFE0000-0x0000021BDFFE8000-memory.dmp

          Filesize

          32KB

        • memory/4996-169-0x0000021BE0030000-0x0000021BE004A000-memory.dmp

          Filesize

          104KB

        • memory/4996-168-0x0000021BDFFD0000-0x0000021BDFFDA000-memory.dmp

          Filesize

          40KB

        • memory/4996-172-0x0000021BE0020000-0x0000021BE002A000-memory.dmp

          Filesize

          40KB

        • memory/4996-167-0x0000021BDFFF0000-0x0000021BE000C000-memory.dmp

          Filesize

          112KB

        • memory/4996-166-0x0000021BC55E0000-0x0000021BC55EA000-memory.dmp

          Filesize

          40KB

        • memory/4996-164-0x0000021BC55F0000-0x0000021BC560C000-memory.dmp

          Filesize

          112KB