Overview

overview

10

Static

static

10

gg.ps1

windows7-x64

3

gg.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gg.ps1

  • Size

    1KB

  • MD5

    4c1d5a75dc7dbff21097fb5a63bedfec

  • SHA1

    d3a9435b41227be9617e472adbcc60c93a970c1a

  • SHA256

    13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b

  • SHA512

    74770ffea4ef1b427a8dd06b61f2f11990cce7034ee29fcb29d5470c5628338aec6454503e7592b4c75e5fdac3f21f5e5a1f12c6b57c972cafa70bc558705968

Score
10/10
vidarcredential_accessdiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Vidar Stealer 4 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\gg.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4rwtxfx\v4rwtxfx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp" "c:\Users\Admin\AppData\Local\Temp\v4rwtxfx\CSC3BB3CFFE22C44FD6A72CB6CF5541F12F.TMP"
        3⤵
          PID:3252
      • C:\Users\Admin\AppData\Local\Temp\odw3s2ws.wr0.exe
        "C:\Users\Admin\AppData\Local\Temp\odw3s2ws.wr0.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Physiology Physiology.cmd & Physiology.cmd
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3260
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:116
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3668
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 390216
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4296
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "Enter" Cox
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4364
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Telephony + ..\Ignore + ..\Residential + ..\Masters i
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1768
          • C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com
            Columbus.com i
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1676
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com" & rd /s /q "C:\ProgramData\4OP8GVKXT2V3" & exit
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 10
                6⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:712
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3476
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 9097ed353b84d4cf20ada8395bcaab13 HngH4+jrDUKsV0mUMO2B/g.0.1.0.0.0
      1⤵
        PID:3252

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\390216\Columbus.com
        Filesize

        925KB

        MD5

        62d09f076e6e0240548c2f837536a46a

        SHA1

        26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

        SHA256

        1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

        SHA512

        32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\390216\i
        Filesize

        285KB

        MD5

        d50bfc4cfc93e4a13504bac07c9faa06

        SHA1

        4df7f36e735e4e7c3cedeada4e9db03e92f97da2

        SHA256

        800c00065760459ff7a2c4ae376fc9e4f29d508002fad2f282f7f2fe65d0d182

        SHA512

        bf139129910e598f02264aabf6d7544f5083ac3fdaf7eec245b1399ca028058ddca7dc4e496127a035498d8390a7984ecf232d3ca86159c091937d0b5c4bec08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Bridge
        Filesize

        93KB

        MD5

        ca085e5e19e253169916cb633afa2c93

        SHA1

        99294155640139022ec331f398521374cbebb15f

        SHA256

        74e2066c07e0dd365b14b8bfdc98cb01c9429828874bb6effe53aca22cb7ee58

        SHA512

        09e6523c3876642f23bd68c3ea54e0d6d42763a9e41efa168a731f8ea4a02852a49f69ac97bed4f4198231f2b4a60891af41d46de3a397003d53024ba7be9af1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Card
        Filesize

        138KB

        MD5

        f0a36b149eb13b57f8599709ef945f81

        SHA1

        ba4a8b590bb2571fc68781f6c8fd158046df4e8b

        SHA256

        c17aaaab08817fc25a41cafdff0e372485fd643b7fa3f453a03d9425fe642d48

        SHA512

        27a25cde2b7ff930e836368f6e5a28602f4ac4fd74addad621da2f15d8e960ecc5c4ebcaa582939e3799f3d70483b48ef303ed1ec8177ea1f4b4eceb53431fa2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Classified
        Filesize

        111KB

        MD5

        262c429fd93fcfc2e4d4e3d61a2176d7

        SHA1

        2723e9983128d0eb156a3dd39ee982c55891e4dc

        SHA256

        affa77b019ce8187b97a5f69f48506ed199678e8096ebf40a88202ba8b30893a

        SHA512

        64825f5900e6094f9b446b352c72d6905ba9d42f29967474346d847927a5ba5a015344ab58ff9fe9db22243b41cffee72da05a0ede92b2a584ed241c8038bc7a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cooperative
        Filesize

        51KB

        MD5

        f499d3545caf3a627a86bb1da506a0bf

        SHA1

        7b5544df8d88e1aaa7474b5b6ca55267b9c1f01a

        SHA256

        e88b87c95a125202447b8e89ae6bce9bf457213ea2df56b9ee44dc52cf7866cd

        SHA512

        64830fc0d8763b295d13de4f58f535e3a96c68094f490264f2a155ee8fb66ea250dfde3079e526a2462963dc10b9b2f31b57c02e40239345bf8ab1fba2f48841

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cox
        Filesize

        1KB

        MD5

        76e4e89bf684851551fc8bd71d6ca3c2

        SHA1

        a717fda4d40abaffbf26ed18af5960a032d2f671

        SHA256

        90eccc6ea68e1d94c2c805ac08414ec52b40e2fc6f58fea56ab98b5f9ddc8261

        SHA512

        6446180fae5bb83943cd02c3cd9e7134decd76ab136f3ef7951e78ad8c86fe16a2d8580047a5d794835f8321904ca8ea4fa723d043e44c30d8d66e1b033414d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Enemy
        Filesize

        87KB

        MD5

        be3a31e5a4a93cbeb05b408f98050358

        SHA1

        d888a6b68d6a1e4bc81f6d38aa6db672d3f6345b

        SHA256

        4aada48ba766c76478bfdfb1bede0b000516a66d12cd908b5e6e106fdf8d2f91

        SHA512

        4fa011fba828704609a05c6de73931282b711bf92002597fc8530e87fabd6282536f1585127fdb7f05ea5d3c0b9bc279abd7a291e5756cadf546baf7e8fe3d14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Growing
        Filesize

        114KB

        MD5

        2f00a26b7d4abd72863f04bf74c4f43b

        SHA1

        bb7f08545e77bfe825bcbd0a3804ef6354accefe

        SHA256

        2100a2d794872e26355b0ebb35e20489bfe762706ec47e5ced411560853aa394

        SHA512

        fb80654476addf732cf3362585115380a5a4723a45f61bd35c8a47b1d5a9a839b7d0dda6e869b0fbc4e6acf085321f6b816f846c77f8459ec939d8240b381c39

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Hurricane
        Filesize

        135KB

        MD5

        17466a3250859da0fcd50b639a581e38

        SHA1

        c06417abc69ed49076279b679e1e008c750afa67

        SHA256

        6e70c9b0e1b324bc454b0ff84b951072e6798c2ab08305ffd6b2712b3f4d5732

        SHA512

        7954f93b3fa3b78eb93016c879069e1be4e282201c1f2005acac47e00e118c4fc58d59c272440699797c6e2a019a15f72a5256a26588fd279c738579e54a1fd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Ignore
        Filesize

        85KB

        MD5

        01a4f681243d2cadc74bd9879974e17d

        SHA1

        85c004e8ae35c80b909d2738bb31694fb431469c

        SHA256

        89b17825b2e6386cdc39b0936a41313a45c406ffa58c38842124357cc5d4e40e

        SHA512

        95ffd5d481907c6361f09a9b2ba8765d630644f758b60834b18a6a85d90914e4b58a8abc1a22456fa4b5f395b6a19e6eeebb4fda17f6385b6b7fc4b8d3ee5821

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Mar
        Filesize

        100KB

        MD5

        669374cb80d133b19215fbcf4216fb33

        SHA1

        cca218bad3324a2f427909f8946f73a972535baf

        SHA256

        ffd1a789ad8b400a1e8ab25c378df800b40458037a05a532cb385b87ada69551

        SHA512

        6268aea10dfb69570c3c062ab554c56f20f25f31baca58c364e47c15e50fcbf02d1e2253daf25389614f18fd47f311993036d28e3669d2c0e15bacd941da6333

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Masters
        Filesize

        69KB

        MD5

        15153a8f88836a0894aeb0cda8eebbc7

        SHA1

        b3081cd10449186a6b530d33a6af07e0b605a0cc

        SHA256

        ba83e9b9334670c1e4e4a57799093764f4752794e04526522445225ada497862

        SHA512

        b7375272220dd4065ce70ec8869a0f2438cc1b5358eff2d376432e2576444ad9151c5030fec11eff85e35f7b1dd87376424455e1129301e354479e2f70cc5efa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Notebook
        Filesize

        94KB

        MD5

        75b34ad87ca3d160c6f0f13a095a0208

        SHA1

        c7aa80a1121bbe727c1606d085a80cd32df74afc

        SHA256

        2277b91195da657200c3acc57549947386b5d259f5b5df53670018609555ae54

        SHA512

        cc7741310d487b2731ae8efe8da8ebfb72650f63b94df7416303ccd090535d98ce96670361108f72d6ae7b4e2f6f23ab74d4c7b8d4e2d633fd210cb5e88af3cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Physiology.cmd
        Filesize

        11KB

        MD5

        a1bedd2aba677e9860ae8c479493dd3d

        SHA1

        147f198fbcab5bd8f8a7e692419008e441009311

        SHA256

        27df28d589676374d7dcfd74c61a09271983a2ef35e3f99bda8010466b45fd32

        SHA512

        eff4342247bfb25cf8f26ab336582c85b6beb89b38aacd4195beaecdee059fc4abd00be196e5ac0e592de22c4e4ddd68c4dd18180247cd6e989fb302f0380025

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp
        Filesize

        1KB

        MD5

        f51af31500415f40dd0dd872eae835fc

        SHA1

        c3894c6fa2f1ffcec8990c4b2eb912b4dafdcde7

        SHA256

        ce8e7438e991b0a079826b194b0bf0e8deb88497ff5c93184cfc5b0b60b94984

        SHA512

        6131c4c6fad1f2ddf735de8d18f3c87fe92d5960d955942716fae5c09989020662f9a30e3a4400ab35e24ed7fba02a13bad0e336d03eff59691f7140a8ff4134

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Residential
        Filesize

        76KB

        MD5

        2bf504f0f2152a7c1dbe41e84ba8f161

        SHA1

        48d5766f8e45de643ef813a6c16ee8987e57ed2b

        SHA256

        baa6ef1aed55fe08d07817920242ab42fd92d2491a8c5109dc3d7ff3553a3fc8

        SHA512

        1290c03543ec6c9289bfafd102316f9541422afea48697b36b522bb6ea3294ca88292c57c9b0cc2dcb47bbfa3ceb9c67c106ec38e11a10804e03c2a7faf15739

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Telephony
        Filesize

        55KB

        MD5

        7a492c1ee6f21e5cdfb7da8aa9386388

        SHA1

        c64be5a5a31f704b8328d67440e22ec5c3d1e8af

        SHA256

        030847c8d85d6faf5ccfe613d606eb6565d089dc2ac223a5193e97217b49d069

        SHA512

        5213dd4d03f029be7ae9871a53ba111bcad978f634941ec85dd24eefe564f14d3bc1500996009d135add02515fae37eb4b0d51c006ea5fee001997c962c03892

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5kz2q4v.k3w.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\odw3s2ws.wr0.exe
        Filesize

        1.1MB

        MD5

        dc5dd4bb664c7a5b89adb87740f410aa

        SHA1

        3530be832f3878c9227a1ca3166c35eba433bd76

        SHA256

        d77648c1e78a6080111047b0fc08d40f6d4c7017171a57abb26fc442c5831e8e

        SHA512

        e9e8813d7611c5df146f4cbc415369b288d045393ef3683fc413152aa40b3ecea34ff7cdcdf75e1f18b7a11ec48f647f65c466d154a1cbc722bf996398d8a194

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\v4rwtxfx\v4rwtxfx.dll
        Filesize

        3KB

        MD5

        99e78786b836f2f5096536ce2a9280be

        SHA1

        2276ba8f6c13e1a074b54535fda36cee3860ce0d

        SHA256

        7a736f7de9d032fe36d800f5a45cd3f13546be68dd428a9657af744346e5f467

        SHA512

        1c312f5762a5d769d65075d872d1045caa03c8dbb40559ff84f2ad38030e0d72fe31f740e684f1a43ddba652bb73809534e1221274980f2e17092e8b313cc7b3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\v4rwtxfx\CSC3BB3CFFE22C44FD6A72CB6CF5541F12F.TMP
        Filesize

        652B

        MD5

        d6b4a5e3a8fcf11110fccd0ce4a95053

        SHA1

        165045a034733d68833750afd8b7fb856564f802

        SHA256

        b51f707e88dfd354cf0dbe67194f02705c670ed7c7483971fe17532ce9e8824f

        SHA512

        2bc8a743af06f93b9e3a25e062a0d9d5ae0394bae62956c0f16b375e1ac8abcd005459f7d3b3351a825522d738ed79691cc7d44e21a4a31e3831207845a63a16

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\v4rwtxfx\v4rwtxfx.0.cs
        Filesize

        648B

        MD5

        8539b6708ddc98df3a1cd74954dc89bd

        SHA1

        a69c850c26e8ecd62a3dc997164d4c92617fa40d

        SHA256

        0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

        SHA512

        c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\v4rwtxfx\v4rwtxfx.cmdline
        Filesize

        369B

        MD5

        a6427f85338f171049bbf19aa9649302

        SHA1

        76ba544f5d60ebb99ee3f2620512bd234da117ed

        SHA256

        c2fdaa0665a4dc3a9716804becfefc55c9da7b87955037badc3af78edbfb4c00

        SHA512

        c222e5767773cdd5633b0437b53947e963b70474690a3ab9323e783ffb8913cd621a7d0efd758cb5c035b6199eb3e45bf6dd7068ecc8147c6e6355d4bc6bceb3

        Download Submit

      • memory/1676-355-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-356-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-346-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-347-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-348-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-343-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-345-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1676-344-0x0000000000040000-0x0000000000279000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3204-28-0x0000020D4D2D0000-0x0000020D4D2D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3204-10-0x0000020D343A0000-0x0000020D343C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3204-11-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3204-12-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3204-13-0x0000020D4D320000-0x0000020D4D370000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3204-14-0x0000020D4D7B0000-0x0000020D4D862000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3204-15-0x0000020D4DA40000-0x0000020D4DC02000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3204-0-0x00007FFBF6CA3000-0x00007FFBF6CA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3204-37-0x0000020D4E140000-0x0000020D4E668000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3204-55-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

        Filesize

        10.8MB

        Download