Overview

overview

10

Static

static

10

2025-03-02...ch.exe

windows7-x64

1

2025-03-02...ch.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-02_97935ff63542a503d68440d9f8afa689_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe

  • Size

    20.3MB

  • MD5

    97935ff63542a503d68440d9f8afa689

  • SHA1

    34dd9b79772375b377f52d8f7535764b8a9e7215

  • SHA256

    ef4562b7fca6955585eb618647a662fff7cc8e01489166d17f2cbb5d00652ef8

  • SHA512

    f183c66d4f01be3e8864d84ae1f210ea6b206b8734791f911711039e163e06a46661c0c7ff4e9e52ec01abf53d98f8b89060dcdee1f2121fefdac40a88e82f2c

  • SSDEEP

    393216:4qiiuRZc4JPVC0FlcfPat38i08go0K5Y:EiuJJPVC0Mfet0K

Score
9/10
credential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    defense_evasion
  • Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    defense_evasion
  • Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
    defense_evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    defense_evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
    defense_evasion
  • Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    defense_evasion
  • Looks for VMWare drivers on disk 2 TTPs 2 IoCs
    defense_evasion
  • Looks for VMWare services registry key. 1 TTPs 7 IoCs
    defense_evasion
  • Looks for Xen service registry key. 1 TTPs 5 IoCs
    defense_evasion
  • Uses browser remote debugging 2 TTPs 2 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Maps connected drives based on registry 3 TTPs 5 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 4 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-02_97935ff63542a503d68440d9f8afa689_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-02_97935ff63542a503d68440d9f8afa689_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"
    1⤵
    • Enumerates VirtualBox DLL files
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Xen via ACPI registry values (likely anti-VM)
    • Looks for Parallels drivers on disk.
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VirtualBox drivers on disk
    • Looks for VirtualBox executables on disk
    • Looks for VMWare Tools registry key
    • Looks for VMWare drivers on disk
    • Looks for VMWare services registry key.
    • Looks for Xen service registry key.
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks system information in the registry
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\preview_9.mp4
      2⤵
        PID:4980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4928
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-Process | Select-Object Id, ProcessName | ConvertTo-Json | Out-File -FilePath \"C:\Users\Admin\AppData\Local\Temp\Vetzejgc\ProcessSnapshot.json\" -Encoding utf8"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1860
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM firefox.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3308
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home
        2⤵
        • Uses browser remote debugging
        • Suspicious use of WriteProcessMemory
        PID:1112
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8ef7a46f8,0x7ff8ef7a4708,0x7ff8ef7a4718
          3⤵
            PID:4636
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,6377906448328057299,9494482255311064288,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1484 /prefetch:2
            3⤵
              PID:556
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,6377906448328057299,9494482255311064288,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1808 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3672
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1448,6377906448328057299,9494482255311064288,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2028 /prefetch:1
              3⤵
              • Uses browser remote debugging
              PID:4716
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_9.mp4"
            2⤵
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1584
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x2c8 0x300
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4028
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:1292

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Modify Authentication Process

          1
          T1556

          Privilege Escalation

          Defense Evasion

          Modify Authentication Process

          1
          T1556

          Modify Registry

          1
          T1112

          Subvert Trust Controls

          1
          T1553

          Install Root Certificate

          1
          T1553.004

          Virtualization/Sandbox Evasion

          12
          T1497

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Modify Authentication Process

          1
          T1556

          Steal Web Session Cookie

          1
          T1539

          Unsecured Credentials

          3
          T1552

          Credentials In Files

          3
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          File and Directory Discovery

          5
          T1083

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          9
          T1012

          System Information Discovery

          4
          T1082

          Virtualization/Sandbox Evasion

          12
          T1497

          Lateral Movement

          Collection

          Data from Local System

          2
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            223bd4ae02766ddc32e6145fd1a29301

            SHA1

            900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

            SHA256

            1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

            SHA512

            648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            f380d62a69e1ea1237d8ae7153ed2d69

            SHA1

            b6c1bf4c5e995c070d542771a14abc6ae8d4f6be

            SHA256

            72af84db6a35b043619c568d82802c382e3c037ae0d6cc1c36c43d8795672447

            SHA512

            4afba6d4bbb7ee136c643930a807877c517a328377c8b23db019420047911ca72006c5becc393bc510a85444b7ceccaae6adf0d7cabff35b83b46f408ac5f544

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            14e57f7cb9bf078b63f6664f50d25b32

            SHA1

            0b6d1b4ab26cb62e20c613766dd8db40bf78f4d5

            SHA256

            a820daffba1eec9243f9aaed93004250285b160bfb390541c2e1924cf495d6ee

            SHA512

            777c98dbfcf49f4bcb5157ec383143c710569a240f14d70f3b5bef74aefeed23d1a19ed4f76593accd3507ae77789ef2cdabcb29f656e42e403c972268e4b4eb

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            891be73af9b1da61d6efb2ca93bc9993

            SHA1

            f98ccf49771396ffcda476d35fb0da3a7a0c8886

            SHA256

            652162b9c93bb69a57b74ab2d014adaa4d8690af32ec2349d8a16e704a8489a8

            SHA512

            c999a61333a94e780ef01cb0b9a88373fcf5d890383f813a73a6700ef90d84700a9604ecfc82dfdeea043ec0f3194836291291ec5cd214e915671db547251bef

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            21892d53ac50d50ea44bd5be0a99b808

            SHA1

            8a055cfa10e1da62c2caef5c1ef80ff69ffb7ffc

            SHA256

            65b6a439c81b20097a170d9219852baba5118a89f02b620e0552ad7d104c36eb

            SHA512

            618a4b430f780fb7a581f80eb9680027b9d660f7d29a7a71d9e5a52e635145f51379b30ad837cf076e3cf6770f9410bd049546b69971b36faff5dfdb55cf77f8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            bdb194091c1368d27a3a806d3e91a08b

            SHA1

            a0a0f246c16a3e78528c831ffd677dd404e63770

            SHA256

            f58913931699af2fc968060c8951384aef46d287010bbd5dfdd1090ca7d68b0e

            SHA512

            e4605a2e75cdf6f1304c277d0415f14f3c427accc1830b44d0b5366d40801589d28024c4c0405a94b86a4b3cbd2203668dd891951d29432d95f99a662804cd70

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.bak
            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001
            Filesize

            41B

            MD5

            5af87dfd673ba2115e2fcf5cfdb727ab

            SHA1

            d5b5bbf396dc291274584ef71f444f420b6056f1

            SHA256

            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

            SHA512

            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ukfmz2s.hv2.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\preview_9.mp4
            Filesize

            7.0MB

            MD5

            93096e466066f8b645d7469e73856a09

            SHA1

            eb635b1a7a347b5ecbdb8934a1da344abbe660b3

            SHA256

            7491de8ea0c0f7a4fb7a00de5611f6be699714babd740b89c665ac09c18cc222

            SHA512

            6d4aa200034fd4f644f6d12874cdad5fbde3d94504ccb4f5aee5dc7109a6b879c9e75c51b3511c5f60664d98d27cc5846a3e684fe199360b843d151b172df741

            Download Submit

          • memory/212-2-0x00000122D52E0000-0x00000122D5302000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1584-47-0x00007FF8D74E0000-0x00007FF8D74F1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1584-69-0x00007FF8D8C80000-0x00007FF8D8F36000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/1584-36-0x00007FF8E3D30000-0x00007FF8E3D41000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1584-35-0x00007FF8E5140000-0x00007FF8E5157000-memory.dmp

            Filesize

            92KB

            Download

          • memory/1584-34-0x00007FF8E76C0000-0x00007FF8E76D8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1584-48-0x00007FF8D74C0000-0x00007FF8D74D1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1584-38-0x00007FF8E5120000-0x00007FF8E5131000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1584-46-0x00007FF8D7500000-0x00007FF8D7511000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1584-45-0x00007FF8D7590000-0x00007FF8D75A8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1584-44-0x00007FF8D75B0000-0x00007FF8D75D1000-memory.dmp

            Filesize

            132KB

            Download

          • memory/1584-43-0x00007FF8D75E0000-0x00007FF8D8690000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1584-51-0x00007FF8D8C80000-0x00007FF8D8F36000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/1584-61-0x00007FF8D75E0000-0x00007FF8D8690000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1584-37-0x00007FF8D5EF0000-0x00007FF8D5F07000-memory.dmp

            Filesize

            92KB

            Download

          • memory/1584-79-0x00007FF8D75E0000-0x00007FF8D8690000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1584-87-0x00007FF8D8C80000-0x00007FF8D8F36000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/1584-39-0x00007FF8E5100000-0x00007FF8E511D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1584-41-0x00007FF8D8690000-0x00007FF8D889B000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1584-42-0x00007FF8E42E0000-0x00007FF8E4321000-memory.dmp

            Filesize

            260KB

            Download

          • memory/1584-33-0x00007FF8D8C80000-0x00007FF8D8F36000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/1584-31-0x00007FF7A9A70000-0x00007FF7A9B68000-memory.dmp

            Filesize

            992KB

            Download

          • memory/1584-32-0x00007FF8E6C90000-0x00007FF8E6CC4000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1584-40-0x00007FF8E4330000-0x00007FF8E4341000-memory.dmp

            Filesize

            68KB

            Download

          • memory/5068-328-0x000001CB5F270000-0x000001CB5F798000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/5068-327-0x000001CB5EB70000-0x000001CB5ED32000-memory.dmp

            Filesize

            1.8MB

            Download