vidar | 07ad80ce87f2db34c10bc924702cc631834106d7ba5c2076a35c1ae933e09591

Analysis

max time kernel
151s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start10ThemeEdit.exe
Size

660.7MB
MD5

c12dfa79c1d3ca0a3c3ed007a4f25564
SHA1

5fc6404fb8d78be78d76272b3c3c869f90198792
SHA256

94e8892bd96427806b523b9fe551bc639297aeb58267c58c4cb7980b36a517a5
SHA512

5fe1dda86201129915b0569e2793a7f17c4fbe7d0fc881f7a0e4390608ec6dd4369addb243ebc5c29011e1df72218f79cbd42aa53f896fb0958e572f4494d345
SSDEEP

393216:fkcbf0j8aPknFM7mqF6WEuDLEXgqqIv1MCNrrPgLX3wRHyN6:scj0PPknFymqXE8gXKkJrPgL6SE

Score

10^/10

vidar credential_access discovery persistence spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 39 IoCs

stealer

resource	yara_rule
behavioral3/memory/2520-128-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-141-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-142-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-143-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-144-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-179-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-180-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-183-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-187-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-188-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-189-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-193-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-194-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-196-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-197-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-271-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-274-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-277-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-278-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-282-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-283-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-287-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-288-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-292-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-294-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-295-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-298-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-299-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-300-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-301-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-309-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-310-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-326-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-327-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-328-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-332-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-333-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-346-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7
behavioral3/memory/2520-347-0x00000000031F0000-0x0000000003212000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
61	2520	Start10ThemeEdit.exe

Uses browser remote debugging 2 TTPs 11 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
688	chrome.exe
2568	chrome.exe
1536	msedge.exe
3092	msedge.exe
3588	msedge.exe
2936	chrome.exe
3492	chrome.exe
4848	msedge.exe
3284	msedge.exe
2988	msedge.exe
4640	msedge.exe

Executes dropped EXE 8 IoCs

pid	Process
4648	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
2520	Start10ThemeEdit.exe
668	a1vsjeknyu.exe
2364	a1vsjeknyu.tmp
4020	a1vsjeknyu.exe
4584	a1vsjeknyu.tmp
1968	AutoIt3.exe

Loads dropped DLL 8 IoCs

pid	Process
4648	Start10ThemeEdit.tmp
4648	Start10ThemeEdit.tmp
4648	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
2364	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\celloidin = "\"C:\\c379e73c-67e0-4850-85dc-b797f37d593f\\Autoit3.exe\" \"C:\\c379e73c-67e0-4850-85dc-b797f37d593f\\celloidin.a3x\""	AutoIt3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 5088	1968	AutoIt3.exe	141

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start10ThemeEdit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start10ThemeEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1vsjeknyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1vsjeknyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start10ThemeEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start10ThemeEdit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1vsjeknyu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1vsjeknyu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start10ThemeEdit.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start10ThemeEdit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start10ThemeEdit.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
888	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133847940962871771"	chrome.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
4016	Start10ThemeEdit.tmp
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
688	chrome.exe
688	chrome.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
128	msedge.exe
128	msedge.exe
1536	msedge.exe
1536	msedge.exe
3188	msedge.exe
3188	msedge.exe
1348	identity_helper.exe
1348	identity_helper.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
2520	Start10ThemeEdit.exe
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
4584	a1vsjeknyu.tmp
1968	AutoIt3.exe
1968	AutoIt3.exe
1968	AutoIt3.exe
1968	AutoIt3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
688	chrome.exe
688	chrome.exe
688	chrome.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4016	Start10ThemeEdit.tmp
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
4584	a1vsjeknyu.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4648	4992	Start10ThemeEdit.exe	79
PID 4992 wrote to memory of 4648	4992	Start10ThemeEdit.exe	79
PID 4992 wrote to memory of 4648	4992	Start10ThemeEdit.exe	79
PID 4648 wrote to memory of 4584	4648	Start10ThemeEdit.tmp	80
PID 4648 wrote to memory of 4584	4648	Start10ThemeEdit.tmp	80
PID 4648 wrote to memory of 4584	4648	Start10ThemeEdit.tmp	80
PID 4584 wrote to memory of 4016	4584	Start10ThemeEdit.exe	81
PID 4584 wrote to memory of 4016	4584	Start10ThemeEdit.exe	81
PID 4584 wrote to memory of 4016	4584	Start10ThemeEdit.exe	81
PID 4016 wrote to memory of 2520	4016	Start10ThemeEdit.tmp	82
PID 4016 wrote to memory of 2520	4016	Start10ThemeEdit.tmp	82
PID 4016 wrote to memory of 2520	4016	Start10ThemeEdit.tmp	82
PID 2520 wrote to memory of 688	2520	Start10ThemeEdit.exe	83
PID 2520 wrote to memory of 688	2520	Start10ThemeEdit.exe	83
PID 688 wrote to memory of 2680	688	chrome.exe	84
PID 688 wrote to memory of 2680	688	chrome.exe	84
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 4468	688	chrome.exe	85
PID 688 wrote to memory of 3460	688	chrome.exe	86
PID 688 wrote to memory of 3460	688	chrome.exe	86
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87
PID 688 wrote to memory of 3520	688	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe
"C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\is-JQTUI.tmp\Start10ThemeEdit.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JQTUI.tmp\Start10ThemeEdit.tmp" /SL5="$50108,15291586,119296,C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe
    "C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\is-6TQOR.tmp\Start10ThemeEdit.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6TQOR.tmp\Start10ThemeEdit.tmp" /SL5="$50106,15291586,119296,C:\Users\Admin\AppData\Local\Temp\Start10ThemeEdit.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Users\Admin\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe
        
        "C:\Users\Admin\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" allodial.a3x
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe12f7cc40,0x7ffe12f7cc4c,0x7ffe12f7cc58
        7⤵
        
        PID:2680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1968 /prefetch:2
        7⤵
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2076 /prefetch:3
        7⤵
        
        PID:3460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2232 /prefetch:8
        7⤵
        
        PID:3520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4600 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
        7⤵
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4468,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
        7⤵
        
        PID:2280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4892 /prefetch:8
        7⤵
        
        PID:2844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,17709338812322751356,13402861733200961154,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
        7⤵
        
        PID:1996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe12f83cb8,0x7ffe12f83cc8,0x7ffe12f83cd8
        7⤵
        
        PID:1888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
        7⤵
        
        PID:4312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
        7⤵
        
        PID:3944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2360 /prefetch:2
        7⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4424 /prefetch:2
        7⤵
        
        PID:3456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2012 /prefetch:2
        7⤵
        
        PID:772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4588 /prefetch:2
        7⤵
        
        PID:2400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
        7⤵
        
        PID:3836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,7487669123164620905,8752925196121776558,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2988
      - C:\ProgramData\a1vsjeknyu.exe
        
        "C:\ProgramData\a1vsjeknyu.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\is-HGMKA.tmp\a1vsjeknyu.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HGMKA.tmp\a1vsjeknyu.tmp" /SL5="$B023A,13414214,119296,C:\ProgramData\a1vsjeknyu.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\ProgramData\a1vsjeknyu.exe
        
        "C:\ProgramData\a1vsjeknyu.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\is-UOKN8.tmp\a1vsjeknyu.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOKN8.tmp\a1vsjeknyu.tmp" /SL5="$E022C,13414214,119296,C:\ProgramData\a1vsjeknyu.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\AutoIt3.exe" celloidin.a3x
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Roaming\{2836644D-224C-4C95-892D-5D57DDC11073}\Start10ThemeEdit.exe" & rd /s /q "C:\ProgramData\y5xlf" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\a1vsjeknyu.exe

Filesize
14.0MB

MD5
31c1980129a020ffd2836386ec757229

SHA1
01da59330c87adcc026aec2ff17695917ca61475

SHA256
b0094fc915f2cca6534fa7edc48ae1e400687e4aea032b9a6f0e626331b573cd

SHA512
cc876005cf9ba5878069a542c89507cded8159402c6a4402bb10ca7ee3f9a6c613c1ba101836e8463ebf36249ebef923132d7bc8ad490d2e36c80d234861c7b7

Download Submit
C:\ProgramData\y5xlf\9hdt0h

Filesize
64KB

MD5
7708e47d25d3dc267550afca934a99a1

SHA1
2bc4295938491a5dfd4b21248b492ffe14a115fd

SHA256
0b98a2da67875eae856c5bd6a5d15ac859208a0f371f28eae3329658ff3a2dc9

SHA512
846c53cc8d1d727b9f1a496311ba6bb42aab273ba0331f5b71891b12d54af9cdd005af02d9f2ac017516bfb26788a44f88a847abb4b1ae17ef30827f14657cd9

Download Submit
C:\ProgramData\y5xlf\ecbiw4

Filesize
512KB

MD5
59071590099d21dd439896592338bf95

SHA1
6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

SHA256
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

SHA512
eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

Download Submit
C:\ProgramData\y5xlf\j5xtjw

Filesize
64KB

MD5
e1f276df5ea9055348a459d92ca8dfc6

SHA1
43a69a6e18238de5ec2348f08259cfbbf79ccbbb

SHA256
a3a0d5a542aeb0b9c50d71cbbe38b442923f0e295f44190cf76402a7616c1ae8

SHA512
b03cf27823483da46fd407100becd1d289c97154bc6edfc24fb17210dfd45de15d1f5303c4f3e8bae5c9ab1a3fbeff775fc6e2323f8ab973aa47fccaeab2f71d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5332d65d7c50eee952b71eda55782f27

SHA1
9039a05b96d6f5fc532a4ddb304ec01aa2fe5879

SHA256
b677f0eeb2f0c049f48cc35d484ead2ba5434a74e4264e64d7f426fe45f2ff0e

SHA512
eeff99092be3b0bcf81e9ba0f2a72d592938ef90952e533f903707d1e0af2138db62a4b491476f499a0909bf52fc7aada7aa832c73aa882d40f488afe5b29b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8baaf6c583536c9e6327e9d4fddb4cc

SHA1
0c1436d1a870038a6cb0195704658ef59ef78906

SHA256
7cea1717ca57c727378be31a2046e1b4be05ceaff81e76d45b5b3fb1a0b09507

SHA512
6cdb5d74ebf3c2f398c2032e6047f32b342db6f28f997c9c3df2351e307b316a6d66127a3ba6f0b1a721e5afd50a5578ec9835ea25708fcd49850ec4ba64dd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
01f2b3aae99d33e559c3e11d27e07477

SHA1
b419b885ae996af3adaa23bf5ac28a91d2846fc4

SHA256
d067f6f4d87c7e9920d197859ddd5c86c7527524c8b4a2ee20af5feb36dbe1fd

SHA512
263a934b4e63bd47787d4b0bab485c9b9503508681c9053d7033c6e27cc283c472b22d886dd1a6a45d3fd9e37ab0e0eb334ef4910d7ed478e72012743be61895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-91NUJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JQTUI.tmp\Start10ThemeEdit.tmp

Filesize
1.1MB

MD5
b1f9d665e52c29972b50d7145d88dce1

SHA1
df2c67a5c32a19bb110ec8372134522c0dab9ac2

SHA256
2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787

SHA512
bcdce189402ffc1c17b9803ac4040bd1cb23e32ba2c1476cbcfae13438078e01f78ad3f76e1bf71a6ec204663aa5f5780990016fc074218763d63db1431f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TA8JU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TA8JU.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\7za.dll

Filesize
385KB

MD5
cb99bbdea56a7e08c8b475bcecd5df41

SHA1
5c9eb462054c8242b2a9f69b3e5d27c6a1daa0f6

SHA256
8ed926351e3c5acfffd5d3890b17d5d96990b7ccbdfc4e549df46ef963d52f88

SHA512
829e7b7e6cce4cf6b50438e451f4bbf3eabfe827c641fb2bef3808609267aa79dcdb987a569ee71b85a702953fa7861bb6b7e00f07efd18829391f32574dc4d9

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\ACEEXCL.DLL

Filesize
877KB

MD5
84784ef516d810edd01e7ec2775246e1

SHA1
7b6a9b90031270bd4868af5ab5e7175ab30d5efa

SHA256
65077d9942193aa89e119b86ed6e26cbed159acb13faaae6e6503aea0564e780

SHA512
4906c8f0633d948c7157ed71b58b83f5469259ce8b89ed7c5c2d3f0945781e73a8474901a0246e04d0da1ef9a861f1523d1f3c87f5924bdeef0363581e3e2b48

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\CppDebug.resources.dll

Filesize
385KB

MD5
f31b31d462d008b2f319cf9fa5b3744e

SHA1
0b5e96edbf7a4afe7cd52b0ee7e0a29ba72b4939

SHA256
20508054642d0d5030760095b6210fa88ca10288764a77683ac2bcb9d0d4cd43

SHA512
400edbfd2c4b66fcf91076685f379858717a60eeb1836cda01a5b2bfb1501229b57a48673b916c8acfabaf212be3bf0ced096431b9a5130f391efb8be239648b

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\DiagnosticsHub.StandardCollector.Bridge.dll

Filesize
290KB

MD5
ae1ee814db6be02481a5bb7d031760c0

SHA1
996ee493ddda8114d2957a1f6d0299e8e2be6ab6

SHA256
eeae37ec39a65b44309c973703a31bbf85ff13aa0b38e1668ded3455c5b55b1d

SHA512
94cd63e65c628d25d600cf0d7cc49d6dda7bce79ac6f4319dca91c45713c2d3764f1410453ef27f779ebda2550f0493b7f9468ce60a27a6eff6676307f44d9bc

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\GpuProfilingAnalyzer.dll

Filesize
334KB

MD5
7804edfa6e74df21c23efa1fbb52116b

SHA1
51eea741f5e1bcda5ac96dd46e3a2e9ce9f5309b

SHA256
fa903f2ff8a566c7728c8f2ac42409607cb1ef1519b9f9d3591a4656f095f8df

SHA512
1b8a181da013ee74a3f49a7ad2104c5b3817e7d7d1dc2e155210c5965b8c6179e034d635e418a0861d5ba563542cb03835ab6877daa77b26eb9eb97ccdc43e4c

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\LdrtBurn64.dll

Filesize
226KB

MD5
4b815e44d94d38438b90c3198797c0a5

SHA1
d29d9ca4f66e13c66eeb3e53332670f777252597

SHA256
0c80df2fdc238ddc66b5ae493a9dea395f03b828fdde4d6d90ffd76154d6ea03

SHA512
8563c2b7d1c2ee48a9ae297d8ab9251ed18a896d1ff4b29b088f02393891bf28f888e7c6d5c7c6133069d18fe5bec37d936dce6ca83d5ca64b901296669fc74d

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Lib\is-2KGLT.tmp

Filesize
22KB

MD5
b7e5d9a2dc7e37d13dcfa24e7c81c0f8

SHA1
f87bdda9ff570ff3d53cdfa3393b7a2d826b8dda

SHA256
b51eb89d1dfb794095e98fbf1b87373006a1bc6dda6fcebfc86402804c32f7c6

SHA512
1a6af325524513b176d1a34c653b438a4f284f9079e9841ebaa27b025217027ec669189ea81b7d80b15e2de18b628f255822ae105ff40b7355dc9c071be9384c

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Microsoft.Azure.Management.Monitor.Fluent.dll

Filesize
763KB

MD5
1e2cbea517a43333ff2a9543b87784fc

SHA1
38a3b0eafc3ba9a14e980a370a9035dacb6729b8

SHA256
eba1024441cd2801652b02e9bf60813cff30b7fac68e31f055e056ac75135d6e

SHA512
151a10fa1e52c1aae768afc1da936c03de50025cd6b65d4dbd43c3d586f3921fc23bc96d08b06ecd185f432f89b254c6810701138b286e98885b785d728fc206

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Microsoft.CodeAnalysis.VisualBasic.CodeStyle.Fixes.dll

Filesize
216KB

MD5
ebe72cf87ea6cdc8f2ad4ffb9dcec178

SHA1
4c721340878eb8c33622eccf47eb449c46b55f48

SHA256
fb63d2ea793babc1b30f4cf35d323ec17e493b60c138814ca8193d6ba0b188e3

SHA512
60d2440c0cb5ee30a7c7b77782bb4b6977d45c732d6029cd7debf4f5a6d8330256a4d02c8a0c11f6e3f46b4f2a2ba09e7e439d2d98e0a33272a3304650a5b88a

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Microsoft.Office.BusinessData.dll

Filesize
933KB

MD5
5f20cc1396134d409fb641cc6f78623c

SHA1
bd7643e4b22859524bc5efcb61df5e5c52daea6e

SHA256
c8b9ba1cd9cb779ab9553fde17ae145e3d90b283fb2fdd1c01cef7091970c514

SHA512
231a1b7c5ea47cedc35c0d09ac62a2d8057548091cf1ddf44b145791d687c40dfb707cac800c334cb655ab589e9119fd03339db65f5846ef83ce82d660c276e1

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Microsoft.VisualC.ProjectStore.Implementation.dll

Filesize
1.1MB

MD5
4ee2f7bf87f129f0cdc25962cd10db98

SHA1
cb180413d4c1b69e3b7a52b7e2ba519eb0e4fd23

SHA256
b8d584deef1e17a9e54e7059dde7e0f9be6189fd9fb4eb3bbc4d80195439cbeb

SHA512
6d4a5fa140d941b3f0759092c46eda432521c26a49895fdf2c6852480e005c476105398cc686a2cbf24e8c2f8fabefb43d79833369fa7850e3cae5c4d801e746

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\Microsoft.VisualStudio.JavaScript.ProjectSystem.resources.dll

Filesize
425KB

MD5
4284df6b52b471072e4ac3bc5c91e9d6

SHA1
a41b9b1c6d5e3db10182929740b5b82ff8747e3e

SHA256
1e9cf8c5fdabbbffaa5cfe428cf356cab98afdc3466d7337b0bb0c595178de9f

SHA512
8e6f73ff43ed8ef80609196eed68c5eb7f0db13c9b8fd56caefdb6b6c4ad9e44f3b265296195c4b88c1333bc27bc5baad0ffff157614a45e30d3fd0c682aaed4

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\aspnetcorev2_inprocess.dll

Filesize
371KB

MD5
0c64f7c44299d6c60dddd35f3b3a8dcb

SHA1
1342926985f9d2405949ddf1e64fb36efc3182c0

SHA256
6ca448432389259852d5f5a5a134ffc593d9e1b3c5d8b37afeeb22979cf6fc6c

SHA512
d4663983721eab36832a267ab49ab65839b44b8d51f5760654e31e07a73cf357938e546ae48a7913457a59a4885be54914d8e259755f859d9b979ad0beef0e1a

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\celloidin.a3x

Filesize
1.0MB

MD5
1d65c9c904886e50c31fbcb33105b29b

SHA1
ebd619c3f2b2d701c83e476b0f81d2ef8c6df628

SHA256
d7be17d190bb74e981c06fab244a0bd901dccd1dd872c524db48693e33d36bd6

SHA512
1aed6815249a459ff1f19cce68a636f8ff3d7bdff2a82bcf161abafa541db3bd9716339a6bdf88253a048a2d8bbf8ef37458fe64d2da78cfbb3e5d9f8f457916

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\celloidin.pptx

Filesize
5.0MB

MD5
d0a65c478eec14c640565ef4f7195aa7

SHA1
50d01a9425692f4d2240183e2f61ab1b25e72527

SHA256
857e48b908a5f6c3e511b6597479e072a238810e901c2530c9b856bfc36318de

SHA512
c79ec1f9cd077665a2328c03166dc86793495eb098f3bf2fc96adbbc198a3f98bee96daabf1207a620772681a6a0d4a7af341f45aea11ffd5970786ac92a1472

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\cpfecl.Clang.Windows.arm64.dll

Filesize
432KB

MD5
8cea62007f23ec06224ced33fc635494

SHA1
17839da287796e36b4d2de0e3cd82e9e8cdda997

SHA256
aac9b0827cebb37e9068e6087c9f1aa3bd5d94ee46d9cf63cae2e94784f61c32

SHA512
e721b048f05e2c238e29f2c638d59bcd1855f5a93b8c1c2fe7334d90cd08858bbfa8cc6f7e9537b4f7ee5a1baca60d0c664f8ea0cadda9f43883cb0af655a9f0

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\fputlsat.dll

Filesize
967KB

MD5
5f3c2683da9ee8ef7d6464cce1463f81

SHA1
19df76f2f2d6ba9fc099479e209e81f08b83c9c6

SHA256
a9e676cb483c6aa45485ddcb3f01dcec52cd12906b71d6c97ae7a3bde931fbe4

SHA512
e824f056ab022dbc08d55cf5860ac9989d9b6d786526988eb588ad91511193237132c846cbdddb3b0ecdc6e3ffea3a49ba1340d6321cec5b293432128a853648

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\graphics-hook64.dll

Filesize
1.1MB

MD5
2c48f538acb4f796ac57c9ee48b77b75

SHA1
f3dbdc1a09ebf384eca18489b89d3536cc85d7d5

SHA256
3f7a220d9d988fbbf161c8979950ab58895550d411bb8e4a9ca83ead125abf25

SHA512
903f2772225d36b700fc3ec9f4c0b1032b28da6500499bcfc0823d87056bbae3ad47806116fd63555546e29ebca352b0243730fc2dda6e12e877f782bc81bbf4

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\libhogweed-6.dll

Filesize
273KB

MD5
4dcb8ab70f71fabb672186f5acb1ebe3

SHA1
84f9890d70c3002b15adeec18ec52e1ba72cfee1

SHA256
acf669f5d665c1b42c8073069311de08a872d1b4121e0bf92eafb68e4424c057

SHA512
31f9d73115265c72ee6b90d2a8020b6d95715a0f21081147fc7aeb49c1bc7f030c00e2bb1a1800d5b3901212834d9dc818ff196b4245f0547e5351f1d5ea3a71

Download Submit
C:\Users\Admin\AppData\Roaming\{A225B959-A37A-4A90-A8CC-60F084F9DBA4}\microsoft.visualstudio.graphics.dll

Filesize
664KB

MD5
3722b171bcaaa0dd245b45de546ea6a6

SHA1
12de412117c3aef922b0c91bc8a147079ab45b8b

SHA256
e30abd7d20980e6e5201a4ce5fb94f0492e0f31fc866627c7340c08b12ef2317

SHA512
0d76f5b729a1e780e5e196a1cb6f96aae1fa655b0cfacce22ee1701765c8e90d0614fd8ab5e2f2a2ed530e69670f894627cbf4bf3d0301bb5992cb088df54d83

Download Submit
memory/668-361-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/668-390-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2364-379-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2520-143-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-194-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-271-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-274-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-277-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-278-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-282-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-283-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-287-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-288-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-292-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-294-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-295-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-298-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-299-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-300-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-301-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-309-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-310-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-326-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-327-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-328-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-332-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-333-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-196-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-346-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-347-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-197-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-193-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-125-0x0000000001A10000-0x0000000001A29000-memory.dmp

Filesize
100KB

Download
memory/2520-189-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-188-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-187-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-183-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-180-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-179-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-144-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-127-0x0000000001A30000-0x0000000001A33000-memory.dmp

Filesize
12KB

Download
memory/2520-142-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-141-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/2520-128-0x00000000031F0000-0x0000000003212000-memory.dmp

Filesize
136KB

Download
memory/4016-49-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4016-45-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4016-121-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4016-113-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4020-380-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4584-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4584-124-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4584-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4584-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4648-28-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4648-6-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4992-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4992-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4992-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download