vidar | ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d

Analysis

max time kernel
95s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
Size

1.1MB
MD5

774c8215da3cb73644d36ca3f60e676b
SHA1

375f9c6d12374f17cd8f483c565015171b988e49
SHA256

ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
SHA512

ceff4e53bdd23ce784be45b6ffa5598f01edaf16a800ba5fe1367b2fcc29de943d5cab9d40123ac9fc61677749b9c8b2efecb3624f05d285097bd6dc0e901207
SSDEEP

24576:s9y5ZBrOwXMFjy47F710L+O0WK2h4xsPxdUn6d9dZiffX6j76oy4cXW:skjrOaM97F71tbWK2h1Px06fdqCja4mW

Score

10^/10

vidar 57a8c39f1ac1987167a282329835ec7a credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

57a8c39f1ac1987167a282329835ec7a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3484-32-0x0000000004DD0000-0x0000000005046000-memory.dmp	family_vidar_v7
behavioral2/memory/3484-33-0x0000000004DD0000-0x0000000005046000-memory.dmp	family_vidar_v7
behavioral2/memory/3484-34-0x0000000004DD0000-0x0000000005046000-memory.dmp	family_vidar_v7
behavioral2/memory/3484-50-0x0000000004DD0000-0x0000000005046000-memory.dmp	family_vidar_v7
behavioral2/memory/3484-51-0x0000000004DD0000-0x0000000005046000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exeBatch.pif

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Batch.pif

Executes dropped EXE 1 IoCs

Processes:

Batch.pif

pid process

3484 Batch.pif
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5028 tasklist.exe
1660 tasklist.exe

pid	process
5028	tasklist.exe
1660	tasklist.exe

Drops file in Windows directory 5 IoCs

Processes:

ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe

description	ioc	process
File opened for modification	C:\Windows\PrefersTracks	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
File opened for modification	C:\Windows\ConsideringAttached	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
File opened for modification	C:\Windows\HoneyAmounts	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
File opened for modification	C:\Windows\DevelopedSimulation	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
File opened for modification	C:\Windows\CautionKnife	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

findstr.execmd.exefindstr.exetasklist.execmd.exetasklist.exeBatch.pifchoice.execmd.exetimeout.exead123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.execmd.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Batch.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Batch.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Batch.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Batch.pif

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2176 timeout.exe

pid	process
2176	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Batch.pif

pid	process
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif
3484	Batch.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 5028 tasklist.exe
Token: SeDebugPrivilege 1660 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Batch.pif

pid process

3484 Batch.pif
3484 Batch.pif
3484 Batch.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Batch.pif

pid process

3484 Batch.pif
3484 Batch.pif
3484 Batch.pif

description	pid	process
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	1660	tasklist.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.execmd.exeBatch.pifcmd.exe

description	pid	process	target process
PID 264 wrote to memory of 3328	264	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe	cmd.exe
PID 264 wrote to memory of 3328	264	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe	cmd.exe
PID 264 wrote to memory of 3328	264	ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe	cmd.exe
PID 3328 wrote to memory of 5028	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 5028	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 5028	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 396	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 396	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 396	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 1660	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 1660	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 1660	3328	cmd.exe	tasklist.exe
PID 3328 wrote to memory of 4076	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 4076	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 4076	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 4064	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 4064	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 4064	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 2588	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 2588	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 2588	3328	cmd.exe	findstr.exe
PID 3328 wrote to memory of 4240	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 4240	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 4240	3328	cmd.exe	cmd.exe
PID 3328 wrote to memory of 3484	3328	cmd.exe	Batch.pif
PID 3328 wrote to memory of 3484	3328	cmd.exe	Batch.pif
PID 3328 wrote to memory of 3484	3328	cmd.exe	Batch.pif
PID 3328 wrote to memory of 3416	3328	cmd.exe	choice.exe
PID 3328 wrote to memory of 3416	3328	cmd.exe	choice.exe
PID 3328 wrote to memory of 3416	3328	cmd.exe	choice.exe
PID 3484 wrote to memory of 2316	3484	Batch.pif	cmd.exe
PID 3484 wrote to memory of 2316	3484	Batch.pif	cmd.exe
PID 3484 wrote to memory of 2316	3484	Batch.pif	cmd.exe
PID 2316 wrote to memory of 2176	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 2176	2316	cmd.exe	timeout.exe
PID 2316 wrote to memory of 2176	2316	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe
"C:\Users\Admin\AppData\Local\Temp\ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Tits Tits.bat & Tits.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 400445
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4064
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "navyfurthermoreacceptableinvestigator" Profession
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Atmospheric + ..\Commons + ..\Represent + ..\Humans + ..\Href + ..\Router + ..\Connection + ..\Sol O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\400445\Batch.pif
    Batch.pif O
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\400445\Batch.pif" & rd /s /q "C:\ProgramData\CAKEBFCFIJJK" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2176
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\400445\Batch.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\400445\O

Filesize
549KB

MD5
06217e9f55ff1dc889a0aa9aa2999b3c

SHA1
fad711a89fe670deca51f31fab7249d3f4232b3d

SHA256
bd7d098fba2a343099199ba99efd5191d62c341ad8883c7d4049e529f2355ffe

SHA512
fff6a95db81a48e6df4493c0aa8b373a97b592388b39c1ec5fd598892a43c4cc3d985d0e1405ac4ab7afc1919169fbff923a1b5bccb42083234a7c972c94317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antonio

Filesize
865KB

MD5
f893c06408989444917becc2c67e9720

SHA1
734160892a99b544f052fd92382010b80d054020

SHA256
02631bb82ed0d34347ba2980f9d5eb2ba2cd26e942c3f922b9215dd19ddf267e

SHA512
f49127c364acc89e5af14a901acba96ae2d39adb259ac20aebc20d3d9d55441d0c3c4199d886ea11ada02d4f27a3dd36f8d884e627c00d6cfb55fe18cd35fcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Atmospheric

Filesize
64KB

MD5
155702daaed607a3b9ae37027494655e

SHA1
b641842104fe4d99fcb4daae6435c5c3a9836d4a

SHA256
45173dcbe34d1963927f6f5f1a30be883807b9cfa55c27857115a43fa14c9e15

SHA512
69c436f8f7918422a7d61260dd242a9b737340f0b6c69e23a04e28b310d8b9f6c2b5534761d57a840e6b68765196ac81172cc43f37d30c6c4d4ec2cafbb02f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commons

Filesize
72KB

MD5
01d316f7f74b486c817c69726cefc328

SHA1
26c56b95c7aa7dc4fce2ddaadd9ec344bcc9f2e2

SHA256
dc10cd792e2859702c384da65c0c1bdaac764563c7311fb3c58495ed96791534

SHA512
373f403b537e833fe052640cbf75d4c819352027029dcc552fa3dc1d2fddd0fa36ac9084bfc912186b78951c3390414d123eb50b01c4be64101b5b4d2e96c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Connection

Filesize
51KB

MD5
b6b68a11d199c97c897a262d3314a9ed

SHA1
07b63697ebdfdcd1910390b43477562dbc150355

SHA256
4a1c8403f1325713242c06529510ea73e88590760d20d836d7ba987586e99613

SHA512
70b79ce0e9ef278974576136bebf706646f6d7412b5c1eeb6ab9131ecd7b33621f2382009dc59758ea257f865b425e83c10e1fe2db52173d48d3923ee3821415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Href

Filesize
97KB

MD5
39904f7826116996701e702069a0ca0d

SHA1
5b0133ca89160ac7f4805f4b054337a985086f69

SHA256
5ba66a80e757c3a7cf2e16e709090fcbe8f8019e70c4266fd957ce4878b8719a

SHA512
c67407d641b9cda3ee41778ddae04566853c1e9d99d89c3e8beb54c27b68bfbe39da7d632acfc5ace72941c7c0b94c57cd08f732c5dcb4a4a845f8da5a94e569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Humans

Filesize
91KB

MD5
82b096504036d6c23531db83a3dbc2bb

SHA1
6747cc73044ada91759edfcc19206038dd5af327

SHA256
53744685d58b788ec091eb57fa850ed1a78c17b80ee1ba21796d6533e4c07cd0

SHA512
f5f1819fddcf159b5e60972741a3e270c9a26b41ee4220739aa381a09264ed4d7f9e5d4fe18df4d066850c241a20baf638f163ef8992bc917b9b86b043ba31f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profession

Filesize
6KB

MD5
6095cc0e5110bfbf129b695533148cf3

SHA1
4dfd2f248e726dc1357f15b16b80a1ab71f3a46e

SHA256
a354428e5be2519aa3db2abed313d510ae754ddf052c38f405235bdc73c2c630

SHA512
ae6307fa1b327d34a56e80e40412e6557746fc6ec3ee7a7e7040b8be8826016b78e77c77b5041888c92ad1ee0b760b3ccd7d2f6d3bf66c0d577aa936d98170f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Represent

Filesize
66KB

MD5
09cafc2cd2586f5bfab33937d069b114

SHA1
c7303feb233867e8deedec7003347dfe90701f0b

SHA256
5b31062934d1afe4e887b181cc0f2add523465a63f710333824102749ae2a768

SHA512
5ab63bfca3aace35117dd4013b44ff9ec8edf8c9dfa79481ed3f8b2b5790aec3b01b512286a52eff7c8c210de7bf3093274289c10a3be0ef74d51f2e399d80f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Router

Filesize
78KB

MD5
44d0f8f9c4b06736e9063432c40ad468

SHA1
79396180851fba1d3b611603455d61798574891d

SHA256
df754244594bab7d25764ca6df24dc7e19d3d6eb8ab29a575b665c8559f6ef78

SHA512
dfcfa10fb7017638889593cb7c2c7bc9d43564978f4eb05c68d49e1dbba820335b0c115a91b88011a83eee1adee0c9e4cf7900f575dcf696a079941bb7e96eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sol

Filesize
30KB

MD5
caefb3c36d5bd6c6923ea3c264f76de7

SHA1
4554acb578278bbb2c4db326960e49736c968459

SHA256
38206815f4ea33415c17f1c5e6ec111cbcff8f31b4ebf1f16b2caf3e0e9f3ee3

SHA512
97f7f9de8ecbd47c576745fcee926c70b72610c4ae535452c2b22c595de9b9b401d6ed74d5a13a9e4e9fd09291c3512401b9b3e2c638716bb37ef4030e5d4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tits

Filesize
20KB

MD5
1a43009615b399c7da8fc4748bd7149d

SHA1
4a118c8b399b92d7812d715b588f049b37efd6d2

SHA256
afcd2cdc62a903f0cb91c678bc8f9e6a0022a06ae6ce4bb25edf3d6886ff7165

SHA512
01313dcbcd37fc4f7c492ceedaf4c57c58cb2478e4c3d7510435b8ca8e3b3b55d879b216f0a2bd15e8a487d6aecc0cd2f805cba993eaa0f278dfa6cab90599ed

Download Submit
memory/3484-30-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-29-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-31-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-32-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-33-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-34-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-50-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download
memory/3484-51-0x0000000004DD0000-0x0000000005046000-memory.dmp

Filesize
2.5MB

Download