Malware Analysis Report

2024-12-07 19:18

Sample ID 241114-ns1f3syemd
Target Vidar.exe
SHA256 9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04
Tags
vidar 7c37934964656ffad71319cfd3f70c69 credential_access discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04

Threat Level: Known bad

The file Vidar.exe was found to be: Known bad.

Malicious Activity Summary

vidar 7c37934964656ffad71319cfd3f70c69 credential_access discovery stealer

Vidar family

Vidar

Detect Vidar Stealer

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 11:40

Reported

2024-11-14 11:42

Platform

win7-20241010-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vidar.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 1712 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vidar.exe

"C:\Users\Admin\AppData\Local\Temp\Vidar.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

Network

N/A

Files

memory/1712-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

memory/1712-1-0x0000000000B10000-0x0000000000C52000-memory.dmp

memory/1712-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

memory/1712-3-0x000000001B5B0000-0x000000001B6B0000-memory.dmp

memory/1712-4-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 11:40

Reported

2024-11-14 11:42

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vidar.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2260 set thread context of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 2260 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Vidar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
PID 4308 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5104 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5104 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vidar.exe

"C:\Users\Admin\AppData\Local\Temp\Vidar.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\CGIEGHJEGHJK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2260-0-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

memory/2260-1-0x0000000000FD0000-0x0000000001112000-memory.dmp

memory/2260-2-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

memory/2260-3-0x000000001DFF0000-0x000000001E0F0000-memory.dmp

memory/2260-4-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

memory/2260-5-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

memory/4308-6-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4308-8-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4308-11-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4308-25-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4308-26-0x0000000000400000-0x0000000000700000-memory.dmp

C:\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/4308-30-0x0000000000400000-0x0000000000700000-memory.dmp