vidar | hxxps://drive[.]usercontent[.]google[.]com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github

Analysis

max time kernel
137s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-10-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github

Score

10^/10

vidar 962abdb0b49579401d25d63a1f697be6 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

962abdb0b49579401d25d63a1f697be6

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/3968-749-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-750-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-759-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-760-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-770-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-771-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-777-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-778-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-782-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-783-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-807-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-808-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-817-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/3968-818-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/4028-826-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/4028-827-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/4028-835-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/4028-836-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/2588-844-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/2588-845-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4572	Unlock_Tool_2.1.exe
1740	Unlock_Tool_2.1.exe
4904	Unlock_Tool_2.1.exe

Loads dropped DLL 2 IoCs

pid	Process
3968	MSBuild.exe
3968	MSBuild.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 3968	4572	Unlock_Tool_2.1.exe	99
PID 1740 set thread context of 4028	1740	Unlock_Tool_2.1.exe	110
PID 4904 set thread context of 2588	4904	Unlock_Tool_2.1.exe	116

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4380	4572	WerFault.exe	97
1976	1740	WerFault.exe	109
308	4904	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4728	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133728525880237353"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1016	NOTEPAD.EXE
4292	NOTEPAD.EXE
4624	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
2396	chrome.exe
2396	chrome.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
3968	MSBuild.exe
4028	MSBuild.exe
4028	MSBuild.exe
4028	MSBuild.exe
4028	MSBuild.exe
2588	MSBuild.exe
2588	MSBuild.exe
2588	MSBuild.exe
2588	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe
Token: SeShutdownPrivilege	3508	chrome.exe
Token: SeCreatePagefilePrivilege	3508	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
4144	7zG.exe
3844	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe
3508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1504	3508	chrome.exe	73
PID 3508 wrote to memory of 1504	3508	chrome.exe	73
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 4328	3508	chrome.exe	75
PID 3508 wrote to memory of 3856	3508	chrome.exe	76
PID 3508 wrote to memory of 3856	3508	chrome.exe	76
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77
PID 3508 wrote to memory of 1928	3508	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.usercontent.google.com/u/0/uc?id=1ZfsxDG_eEU3TT3O0UErfL_QcfBU9vzwn&github
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb02b49758,0x7ffb02b49768,0x7ffb02b49778
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:2
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\link.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5484 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3004 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=880 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 --field-trial-handle=1664,i,2516587401949820771,10869610528640563751,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\" -spe -an -ai#7zMap29756:84:7zEvent25034
1⤵
- Suspicious use of FindShellTrayWindow
PID:4144

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4292

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\" -spe -an -ai#7zMap11939:116:7zEvent19772
1⤵
- Suspicious use of FindShellTrayWindow
PID:3844

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HIDGCFBFBFBK" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 236
  2⤵
  - Program crash
  PID:4380

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Unlock_Tool\Defender_Settings.vbs"
1⤵
PID:68
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Unlock_Tool\Defender_Settings.vbs"
1⤵
PID:2920
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1260

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 196
  2⤵
  - Program crash
  PID:1976

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 196
  2⤵
  - Program crash
  PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
84a419932fa7a4b2f8dd2e1959b13902

SHA1
da60d44521259cd227c7094167ff41b75ff66013

SHA256
66180fc933bad4a2ba36eb65523e8a62cde3ef07b23785e405c324c45a9f60bc

SHA512
b90f410ba860b92e21b282be778b94b8fe617f9b104da6c0c200564c5da41ee5c4b05f30dcf5ec235786408584c2d4dbf838efdcfda793ece9d4f9c38f64d67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
6de65bb081f6e77f7f68a77a625d543d

SHA1
e894258e1696aeccfcf2b51033bc096ea999ba82

SHA256
d285139f71fcbd44261eacf8325568e7a4be18743633bb0577891d54adc15759

SHA512
995e539ee365ff1927aa851ac437b4e28c1b4a747afd08a1ad981afd7a3a97d30a9ef7549bf6fcd2962602485483145753c17bac535ae8d5ea4cb11b8469dd9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
904B

MD5
5a2f03fe218fdd60166d5a477c2bf5c0

SHA1
cd21a7ee09ace973400612047524f9efae62ea9e

SHA256
150b368999530065ef0e1935acde921e244ab73b975f64c7effbf2146e4094fa

SHA512
7ab1db5b4a052f605a97de8602e7d68c529ce706a600084e17f888fac2efacfa741150589a230357e5d2041be9d1bc7de0f0dd24e1f15cd046b31fda5fa8ad96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
b53213bb2e5b9ad56b04d6976e950411

SHA1
e430ad0284903a1c61a09de9e5b34ddd68daa300

SHA256
e8a42d338233f4191424d2b87b79d38dd223879c7e69f81fc8990720eb850ccd

SHA512
ea7721f64999d63186e649fa24d0093940990d54eed6af544b4a35fb34f47b100caba6656a1e5e87e90de984fdea5405dec11e04cf5933192575326ef2bab1b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
0adc915f166c2c584673742b0d73dc43

SHA1
a3d3a24cc071fac2091887bf9082cefe2e12ce00

SHA256
91ba18697fbbfeb97a0604a7d1a44dd853438d81ee3ab1be970e56a9000bd456

SHA512
d79d12d089bce7588ba3831bef351c78e82e7a81cb8b09b9285b602084ef34f740dc9139ea204164ea4f1a4af007c1f784c3d00fa26aac5b0de69c8f371daa93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6612222edcc8ca9e509068c3d8bd9f55

SHA1
68a9e7c1c4f84f8291ece04507dc302489c8a024

SHA256
c718b2bbde9cd993d2e1fed9aab988722d24815a97e959a340dc89ef30b186d9

SHA512
cf75a80371c3ee62735c7b210c7f36a4e444443624eb07bc90aa0810dcec6b301e445785fb2cdb8f756e61732491c74fa30ab885fba36f41806e08eff19bdb32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9b5f99fa0a6383059217029bbd6e44aa

SHA1
d26d0e2375ef44b91141e93c91b22228402dd924

SHA256
e8950f9f3748e860621a8a378216d867df34c44acbfbab918e2b07a380634052

SHA512
29de6147b25b88370fe1c57badd8212a8cc835ac066d9b8644bb35c016342289051403b3c8e7ad95d951086617228cf53563f81671a181ace02c14ca4204783f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fe9ea0167fdddd04032bf8f5bdb6195d

SHA1
6443dab5818d5b67befe61d5db4babf0ba1f8b2b

SHA256
2d7c5109be250c7dc62e41ffd04562d57e2b0e3ab05854b72c28553a2614bcd5

SHA512
7a9c97f7d086123c2a61cec47c443972f5353b668ae8d5eef7e54389c32c12a25025117437125751b8dbfbecb60c2beccc9a4677f1dad29d6a46f90d0dcf61b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
4efd9e97612d5cf9ed28a98bf61ecebf

SHA1
446f2100ed4e334479e05f3cbca18bfa77d54ca2

SHA256
a8f1263970684ac3395630bb57b19118032e9bc33fe672a781831d2840f93cac

SHA512
dce22a90d0be7fc35f1865f9c8aa20aa41dc2ecb5906922e07b65b6f9c6393d658be684e87088372ee28d73a38916ab6015d4da9caf854e7c5b787e8ad924582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
f5bfa02238b7dd798b264c7fe7c4cf1f

SHA1
591f2c3b5a65793bac3529a5ad8d11660fbedce5

SHA256
546794936735135c7a5b03a46adf8dd7944dcace5ae52b57cd6865fd94e88234

SHA512
6bbb9dc939521ff64e7ee18b55c019a3b79edf22d21c623f2c847f2301e66d39a6bcf9b03bc5e34a05687f71e48afbd32387b7b0a7b7f68c817011e1ca3c4f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58244c.TMP

Filesize
105KB

MD5
0883d2956148593df729fa43ca7ef6e0

SHA1
c4fd2e84ce1da9214861d129ef524972482333dc

SHA256
b6ff60528fadce063455d817f0bf6e2835450fd6cb7011f699e427644eb0c3a4

SHA512
ffe7b05e3ac683fa2b40bf03c4b3d48e03e55d1a55c4d61b6b56d76f313d89611c381c62782337ec12e454b10066858ff9852dfbefb18cf7c81d62c424504f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\aadba266-ca46-4927-b83d-1812e647a428.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BLQDLNEB\76561199780418869[1].htm

Filesize
34KB

MD5
0fd1f1ee997dff3042c2367cecf183db

SHA1
279a1e78bec60596970cd36e624cad50e022513a

SHA256
2075bf35ffeef66fa43ceaa6fe1ea373603aecf89fafaef86e6f6c53c3923106

SHA512
f2c8f30c8de78f644407378d00376f046acb5d9b5b2db6b4ff92ae97c11c9492a2b12e783c5e48025d9371e095ed24aee6a1476f77dd51e3687295b3ee4ed824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\76561199780418869[1].htm

Filesize
34KB

MD5
84ef93433b235db4824bffc5f2bc655f

SHA1
b9469bfbce1eb6a52d06cfb27366df14be9d8dd2

SHA256
8eee2795f34477387a6ef88d9683303bc9d6576c3ea40841f5a8be04a47e6591

SHA512
c03d9eac1e6fdb7f6dde12c08b42bfa0402718e149b5c13e659f44db17c7e59331db1ecd927a5da8b190fbbb626b399c5d71ae154a93c258c16c6f300b5e0852

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool.zip

Filesize
43.6MB

MD5
81a99f6b3a99fa1954ec74224a5ef78b

SHA1
10197c44abfa660b0da1114db00124648c18e92c

SHA256
d6416fe311de721d307c84d41bb07ecbcb99dff33d27537fbd71fc3b2623e43d

SHA512
ae37da09b2bc3f48bb471c900968e4f92ef618d9a5e4a8b90d7868ee896094f39c8c178758d5f23b1cac0f99251b54c92593b317bda2f28f8ef820cfe14d1a58

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Defender_Settings.vbs

Filesize
313B

MD5
b0bf0a477bcca312021177572311e666

SHA1
ea77332d7779938ae8e92ad35d6dea4f4be37a92

SHA256
af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

SHA512
09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Password.txt

Filesize
95B

MD5
f246bf2465b177d492506954be377c3f

SHA1
6feaf291a50c33203d6e98356d47758158bbaa1f

SHA256
5cb592843421ba6fda5fd5cc143b214b94d402c2d23a025dfb872e98a755278b

SHA512
3eed854638582c981ce746a5b68d7f81d2faee38942811486ca5bb228d649bef6c0fdb9d1524c3495d62748b13d17e652d82587282bb5be069bc5ac899851214

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.rar

Filesize
43.6MB

MD5
4adb10c6782081806679b05c24c4448a

SHA1
ce8a71a7c15c20933cb09d3efb530a49b99b2457

SHA256
1732858bf868f2f83b04902260e716f3eb4d41305a9d8eb60d1c4ea467c65508

SHA512
92e2ea7a1b5eeed239fdb940b70fd442c38d65932c554f69d95bd64b19fdca0485232fe1f2d350acb91102d47923af99bff4820d28527103bed6e0adb879104d

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Readme.txt

Filesize
102B

MD5
81eecc931bfd08cdb73f7a95df5ea463

SHA1
756cd962e0ee937bc878cab7c786e96a6a46f4af

SHA256
9c3543e03d78acb8540aae312b0f2fdcc5fcb5a7e2eedb50a108f2c99338384a

SHA512
d0a7aebe8d0be626cfd0706797f99eb028613701d69d8f0b3882fa38ff9804c60a74260fab690d92678f8cf40221f4fc751d63a2be7bedeff9d27092533c3d18

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\Unlock_Tool_2.1.exe

Filesize
569KB

MD5
5c2a77e122c1a5300fa6b7b6ea2bbe97

SHA1
3992a943741f08202e725068e1f1144253161587

SHA256
29f23613b6bbcf4014af898be8a29e0807bff07a81f35e179729ee7768daa76d

SHA512
92a151faf0b86b50e437afc4ed103334f10375824eaa9f0e79857691939aa4a9a4db3052f8d59154c9395265c24b9dc4571a7a89983115cd409a0bf800b47754

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1\locales\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
C:\Users\Admin\Downloads\link.txt

Filesize
139B

MD5
c60c22715cb29a8310b0d0712b395733

SHA1
c01d25e0cd6118d77e80b69e84ced4699db498ed

SHA256
5c652ae8bb4fe83f367c0aa8766cad27079a5b690313bc9fe7466cf7124f5aa5

SHA512
8562de8bb49e98d3e8908d1ee5c65f54058eb4ad2acc792e83b67c3e4c3f30ad578c385c253a0917dbbb1725baf32a0500ba4a13768586e8d3307c9ff561dd4d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2588-845-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/2588-844-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-807-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-817-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-782-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-783-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-760-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-777-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-759-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-770-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-808-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-778-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-818-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-750-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-771-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/3968-761-0x0000000022150000-0x00000000223AF000-memory.dmp

Filesize
2.4MB

Download
memory/3968-749-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/4028-835-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/4028-836-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/4028-828-0x000000001FD40000-0x000000001FF9F000-memory.dmp

Filesize
2.4MB

Download
memory/4028-827-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/4028-826-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download