vidar | 2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe
Size

6.2MB
MD5

6dc517f58f112adcdd3cfae606a67964
SHA1

b59f74642e963111027613ce0206ca77aec06fda
SHA256

2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73
SHA512

6f04ac98d9ea1eb203d2b93e9ff9f02a26b2ff61a4afc61b47f5d7f6260a80bc085fbc24c97c43407651c231156f468d4fe00cb152e64c6be948fed6b19f4ed8
SSDEEP

98304:cTiMEvjmzKewwsZ2XoCx7fR+Q6VCKrUk:iiMEaI24C1UQszrU

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/1584-1-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-2-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-5-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-21-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-73-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-81-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-87-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-88-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-89-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-235-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-282-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-288-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-289-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-296-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-312-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-313-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-320-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-321-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/1584-322-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1456	chrome.exe
2284	msedge.exe
3736	msedge.exe
1324	msedge.exe
1032	msedge.exe
876	chrome.exe
4172	chrome.exe
8	chrome.exe
4412	msedge.exe

Loads dropped DLL 3 IoCs

pid	Process
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2236	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747247443614131"	chrome.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
876	chrome.exe
876	chrome.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
2004	msedge.exe
2004	msedge.exe
2284	msedge.exe
2284	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe
1584	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 1584	1664	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	93
PID 1584 wrote to memory of 876	1584	BitLockerToGo.exe	95
PID 1584 wrote to memory of 876	1584	BitLockerToGo.exe	95
PID 876 wrote to memory of 1304	876	chrome.exe	96
PID 876 wrote to memory of 1304	876	chrome.exe	96
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4680	876	chrome.exe	97
PID 876 wrote to memory of 4624	876	chrome.exe	98
PID 876 wrote to memory of 4624	876	chrome.exe	98
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99
PID 876 wrote to memory of 3088	876	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbacc6cc40,0x7ffbacc6cc4c,0x7ffbacc6cc58
      4⤵
      PID:1304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:4680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      PID:4624
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
      4⤵
      PID:3088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1456
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4144,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:8
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8
      4⤵
      PID:1816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:8
      4⤵
      PID:3488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3812 /prefetch:8
      4⤵
      PID:4656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3608,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
      4⤵
      PID:2424
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
      4⤵
      PID:2300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,5594043559051985223,9248318579499226004,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
      4⤵
      PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab7a46f8,0x7ffbab7a4708,0x7ffbab7a4718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2644 /prefetch:2
      4⤵
      PID:4020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4453037791961369888,5227498083368122796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3448 /prefetch:2
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJKECAAAFHJE" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7dc315ac7b11d0c95b8d7a11dc6eecdd

SHA1
ce27baff71098ae9969e218ce5b5fa48b20cfff0

SHA256
7d8a27a6faa396a4a12cbd3d052cf596406b18e800dfebc47dd2bb8651a0faaa

SHA512
6807bb95adecc3b23085f10fa6503d60a84f1abeb2b3b75888725348e42e6c372ab5c588ae0e3085495b42bcdcfee15d6a4adda665efe1115f6f80509580d1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2ba0d852-423a-4df4-bc7c-fba889428352.dmp

Filesize
825KB

MD5
da2cb77606c51e7522707484ed8a8de1

SHA1
b5adf07a5e404c1d5f967ad1626dc8872f649ae1

SHA256
9be799e432adbbe4bab86e662515b179dfc1ccb6e0419a4c2f5019140eb71386

SHA512
8d0a5b51a8b36a6f7025734cc007d9e1987c98045ce0cf5b9d41109735c0daa592e774214668e0e86f75435221b99b0012f9ca5736078aeb540c3f754b9c62a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2ca7d8f2-3f9c-4dd5-972a-424284f2e5c5.dmp

Filesize
838KB

MD5
9ea050a1bb56e21654f768461a324284

SHA1
24a140731ac8d07d6bccfef6ebeff5b9c86f06c3

SHA256
a034efdb4497fec3babe0ff4942d988cea8bfdaad9bbab73402f05d630db5996

SHA512
5319d6448985ae093ec7106bf74bf230ea603570b9397b6b63bb3c64d10cc31be75564771ce6ee7e34ccba53588b85ae996cd00b12ac6d9b3d1ce63af2ccb627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\736034e3-8524-494d-989d-c204000515b2.dmp

Filesize
825KB

MD5
177a88206750c1c91e25b05ab9ee6348

SHA1
091ca1a9606ec7dec4fe6d374fa66c4166db4d87

SHA256
40dacfd4989cb4f2e37fa61e5ad8da9a8e434217d6457c2eb63bad3d9d16ba14

SHA512
21d7b40e5e93e29e1c368b876ec0bfbe4d4bbb32ff8c767b1f45201970d860941de20fb3ad7faa5c0ef9a5d69c511f6e09649e20563d38fbab8a4a03822224f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bf1e53f1-3522-4467-bde1-1285397bf3b0.dmp

Filesize
826KB

MD5
2150e0776d0dc394ad657ccda7192748

SHA1
81bb25c27e106e05fba605f46eff863a4fbe28fb

SHA256
6c75f4580d1985cf36d8f16dd3e3be3c8283febe56f4a49ec6e426880863452b

SHA512
5ff47af33f81cb665d9207ab5aeac9b316cdd0f3e99e2581326d57d0c2933548b98493a1634322aac78f8e9ec17cdde6e03eaa89384ca60613bbd3a5c536ddd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
22ba1fbc94ff4ac1754c8c36f6563713

SHA1
ace41385fa98102c387e8e35b2018a5b0130b995

SHA256
f4e20aa864f67906a63f1a22156446950ef45c9c05647a3f79200a9acfeb8b4b

SHA512
039eec9f704651d211d7a2eff3d8fe5b32a7b93568f23493fd0752a5bb279c58e339847fe3b8eab25ffe4fe6be95d0869afa2b2e4ae58cdc92ff3d5bd81f2d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0762774ff862306b536b89f39b35169

SHA1
b4eac6fa6dde3bcc74ddf8e1a6364279434545da

SHA256
9d974be9106e212b3187b1eaa79cb068c435dfaa4f2b73595da32b9924d1f678

SHA512
f8323c087f0ca565989586bb82dc2eb066a82c8a026cc2ef35aac2d029b5db87f0ef515c4d9c1b0901e9a318851f832e7a02070824cb3312c45b30374b78808c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6741f60a-287c-4cd8-a46d-3679e3fe268b.tmp

Filesize
5KB

MD5
9e6b9b72d493e7379ca570fdabb91d82

SHA1
318de9df3c9e475beb6d80a985bdb9854e3ab58a

SHA256
1702bad667668cc3da067ee0468f0c71beadc90999c085dd18f8386ed9128256

SHA512
da04f1ffa9d540b18011574d8c2c56a7cece9ca1d7324c83af41d219ab7548c76923386669c9e7bda158d2ebf042d0946a0a78134365218ed3a16761201e696a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/1584-73-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-288-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-88-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-87-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-81-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-0-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-22-0x000000001BAB0000-0x000000001BD0F000-memory.dmp

Filesize
2.4MB

Download
memory/1584-21-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-235-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-5-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-282-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-89-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-289-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-296-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-2-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-1-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-312-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-313-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-320-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-321-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/1584-322-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download