vidar | dbc1850dcf3759cfb4a968693c812db1110d693cdfb4f54353a5d6e98637a3cd

Resubmissions

25/02/2025, 09:19

250225-laka2askt2 10

25/02/2025, 09:14

250225-k7t13a1r16 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25/02/2025, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application_x32_x64.rar
Size

115.8MB
MD5

aa95156b97009ff8f8b052473dd672e6
SHA1

ac7f4e7933d90940444f1a4e754eb8e2901033e8
SHA256

dbc1850dcf3759cfb4a968693c812db1110d693cdfb4f54353a5d6e98637a3cd
SHA512

00435e85561ae44347b6bbee74dda59a646a880a000bd2d3b7d1a31e8f8c81c146579735bedbb8fedcba614998dfbc0747eb65320b2ed3a8f8ec6cd433093a0d
SSDEEP

3145728:u9V7tlK02gSANgXNri1xIzJVIQ8qjS1sUUS+DVLB:kbK0+AuBikXtiCScb

Score

10^/10

vidar ir7am credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica

exe.dropper

https://yaykisobakitop.top/kjlrfejkrfkrerfk3fkfrkerlkfr3ejhkRKFJKERKJFREWKJ34JK34JKDWK/lica

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 12 IoCs

stealer

resource	yara_rule
behavioral1/memory/2184-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-381-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-388-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-389-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-390-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-391-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-392-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-393-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-394-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-395-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-440-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/2184-441-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
43	4528	powershell.exe
45	4528	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
5456	powershell.exe
4528	powershell.exe
5748	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
45	4528	powershell.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1200	chrome.exe
652	chrome.exe
2616	chrome.exe
5100	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000a000000027eec-366.dat	net_reactor
behavioral1/memory/4448-376-0x00000000004B0000-0x0000000000526000-memory.dmp	net_reactor

Executes dropped EXE 8 IoCs

pid	Process
1112	Setup.exe
3236	Setup.exe
1288	Setup.exe
4008	7za.exe
4448	AQ9EJFCI.exe
2184	AQ9EJFCI.exe
5884	Setup.exe
6032	7za.exe

Loads dropped DLL 2 IoCs

pid	Process
1288	Setup.exe
5884	Setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\mapi32.dll	Setup.exe
File created	C:\Windows\system32\mapi32.dll	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 2184	4448	AQ9EJFCI.exe	113

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	4448	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AQ9EJFCI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AQ9EJFCI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AQ9EJFCI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AQ9EJFCI.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
1636	timeout.exe
4880	timeout.exe
3392	timeout.exe
5804	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133849486248050959"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4012	7zFM.exe
4012	7zFM.exe
4012	7zFM.exe
4012	7zFM.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
2684	powershell.exe
2684	powershell.exe
2184	AQ9EJFCI.exe
2184	AQ9EJFCI.exe
2184	AQ9EJFCI.exe
2184	AQ9EJFCI.exe
1200	chrome.exe
1200	chrome.exe
5748	powershell.exe
5748	powershell.exe
5748	powershell.exe
5456	powershell.exe
5456	powershell.exe
5456	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	7zFM.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4012	7zFM.exe
Token: 35	4012	7zFM.exe
Token: SeSecurityPrivilege	4012	7zFM.exe
Token: SeSecurityPrivilege	4012	7zFM.exe
Token: SeSecurityPrivilege	4012	7zFM.exe
Token: SeRestorePrivilege	4008	7za.exe
Token: 35	4008	7za.exe
Token: SeSecurityPrivilege	4008	7za.exe
Token: SeSecurityPrivilege	4008	7za.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeIncreaseQuotaPrivilege	2684	powershell.exe
Token: SeSecurityPrivilege	2684	powershell.exe
Token: SeTakeOwnershipPrivilege	2684	powershell.exe
Token: SeLoadDriverPrivilege	2684	powershell.exe
Token: SeSystemProfilePrivilege	2684	powershell.exe
Token: SeSystemtimePrivilege	2684	powershell.exe
Token: SeProfSingleProcessPrivilege	2684	powershell.exe
Token: SeIncBasePriorityPrivilege	2684	powershell.exe
Token: SeCreatePagefilePrivilege	2684	powershell.exe
Token: SeBackupPrivilege	2684	powershell.exe
Token: SeRestorePrivilege	2684	powershell.exe
Token: SeShutdownPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeSystemEnvironmentPrivilege	2684	powershell.exe
Token: SeRemoteShutdownPrivilege	2684	powershell.exe
Token: SeUndockPrivilege	2684	powershell.exe
Token: SeManageVolumePrivilege	2684	powershell.exe
Token: 33	2684	powershell.exe
Token: 34	2684	powershell.exe
Token: 35	2684	powershell.exe
Token: 36	2684	powershell.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe
Token: SeShutdownPrivilege	1200	chrome.exe
Token: SeCreatePagefilePrivilege	1200	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4012	7zFM.exe
4012	7zFM.exe
4012	7zFM.exe
4012	7zFM.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe
1200	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6064	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1112	4012	7zFM.exe	89
PID 4012 wrote to memory of 1112	4012	7zFM.exe	89
PID 4012 wrote to memory of 3236	4012	7zFM.exe	93
PID 4012 wrote to memory of 3236	4012	7zFM.exe	93
PID 1288 wrote to memory of 3936	1288	Setup.exe	99
PID 1288 wrote to memory of 3936	1288	Setup.exe	99
PID 3936 wrote to memory of 4008	3936	cmd.exe	101
PID 3936 wrote to memory of 4008	3936	cmd.exe	101
PID 3936 wrote to memory of 4008	3936	cmd.exe	101
PID 3936 wrote to memory of 1636	3936	cmd.exe	102
PID 3936 wrote to memory of 1636	3936	cmd.exe	102
PID 3936 wrote to memory of 3636	3936	cmd.exe	104
PID 3936 wrote to memory of 3636	3936	cmd.exe	104
PID 3936 wrote to memory of 4880	3936	cmd.exe	106
PID 3936 wrote to memory of 4880	3936	cmd.exe	106
PID 3636 wrote to memory of 2996	3636	cmd.exe	107
PID 3636 wrote to memory of 2996	3636	cmd.exe	107
PID 2996 wrote to memory of 4468	2996	net.exe	108
PID 2996 wrote to memory of 4468	2996	net.exe	108
PID 3636 wrote to memory of 4528	3636	cmd.exe	109
PID 3636 wrote to memory of 4528	3636	cmd.exe	109
PID 4528 wrote to memory of 2684	4528	powershell.exe	110
PID 4528 wrote to memory of 2684	4528	powershell.exe	110
PID 4528 wrote to memory of 4448	4528	powershell.exe	112
PID 4528 wrote to memory of 4448	4528	powershell.exe	112
PID 4528 wrote to memory of 4448	4528	powershell.exe	112
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 4448 wrote to memory of 2184	4448	AQ9EJFCI.exe	113
PID 2184 wrote to memory of 1200	2184	AQ9EJFCI.exe	117
PID 2184 wrote to memory of 1200	2184	AQ9EJFCI.exe	117
PID 1200 wrote to memory of 716	1200	chrome.exe	118
PID 1200 wrote to memory of 716	1200	chrome.exe	118
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121
PID 1200 wrote to memory of 4648	1200	chrome.exe	121

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application_x32_x64.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\7zOCAF06697\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCAF06697\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\7zOCAF03187\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCAF03187\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Users\Admin\Desktop\data-Setup\Setup.exe
"C:\Users\Admin\Desktop\data-Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\data-Setup\data\extract_and_run.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\Desktop\data-Setup\data\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_16611
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_16611\sss.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Desktop\data-Setup\data\extracted_16611\script.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Users\Admin\AppData\Roaming\AQ9EJFCI.exe
        
        "C:\Users\Admin\AppData\Roaming\AQ9EJFCI.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Users\Admin\AppData\Roaming\AQ9EJFCI.exe
        
        "C:\Users\Admin\AppData\Roaming\AQ9EJFCI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa8d0dcc40,0x7ffa8d0dcc4c,0x7ffa8d0dcc58
        8⤵
        
        PID:716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2016 /prefetch:2
        8⤵
        
        PID:4648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2072 /prefetch:3
        8⤵
        
        PID:2512
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:8
        8⤵
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1776,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4616 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3684 /prefetch:8
        8⤵
        
        PID:1128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3236,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4788 /prefetch:8
        8⤵
        
        PID:2500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4808 /prefetch:8
        8⤵
        
        PID:3692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,9090420133452474130,4478307653409391135,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:8
        8⤵
        
        PID:1256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 808
        6⤵
        Program crash
        
        PID:2492
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4448 -ip 4448
1⤵
PID:2604

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3844

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5252

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5292

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5376

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:556

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5492

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5448

C:\Users\Admin\Desktop\data-Setup\Setup.exe
"C:\Users\Admin\Desktop\data-Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\data-Setup\data\extract_and_run.bat
  2⤵
  PID:5984
- - C:\Users\Admin\Desktop\data-Setup\data\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_16891
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6032
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_16891\sss.bat"
    3⤵
    PID:6136
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Desktop\data-Setup\data\extracted_16891\script.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5456
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1cffec0d-29c5-45e5-b4c4-1d2f5a23f84c.tmp

Filesize
8KB

MD5
5eca10100e6b63311525b07e9e81d37e

SHA1
5bb32099b5615d52412e8027c0fe1b484126868f

SHA256
f88320376329bbbddbaa49a91fdcece74711bbbf1fdff29e3c1439e44e7c3038

SHA512
65099fa7c26b323a6358fa2fb158a2f6ae7f1b6ecf1306a914d2c1dbf33bbcc217a69de7250dd175a7f54605d4d944c1de49747ff8afe3a468dfd2450f6c5179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
24015f4c07ca2a2c6dc000e4d1f90131

SHA1
c4b71626ace7a03a50f76e3e18e690a6ba295e27

SHA256
b54fb2b82182a36c7a718c0017a60bed7b749ef9f0d5b030b2c6b8c12e63e9d7

SHA512
95320c5cebd9f7e25dc79f48e982bad23be738a7dfb0cda80226b5c0c1f0d03d282aebb0e7d37be7bc54bc28858dc0b8f414075e21237fc6a8c7dba3105e0507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7a8871e7f34a7a3037cb3f4027e5a11b

SHA1
6c6e16a9179fbe8bba6ffc1d5f5800e700625ec0

SHA256
0e5b10e027d51f747c055830cc0fb71880943b17c55ace562e6fe3fe4b1e555f

SHA512
e400a942429d790599a09a05ff80feea5974ad05faa368c3fd9c182ff50130dff631dcde23a90b5dbab2ceb08e3edb563d15c2ce718e0bfe555d0848be4644aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
78118560a33754c8fa65f36e72547d71

SHA1
483aba5c020fce7f9a3b0b8910d1fa84cb94d406

SHA256
2beaf7ef0a41b90d1d7578dfb120d823bbc9ac9e104cb44656de5421d3180db8

SHA512
55d7724e367223b48a6b2cd3ee1261c6ef352635098bdb60addabaca28854a63af7d67bb616db702f738732dd545de49f24bf166a5337461fd366c677cce3bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67c67f488b7ee51a40e2695cb353a62c

SHA1
e8d4f1686f3838a36b1a498056e7b03a3dfb8a8a

SHA256
899b3d7fadfb50827d58a080dec63aeb031510c380887d45974a3538d2443972

SHA512
7ade4181f2f6c93fcb604d767ee6f42ac5edd4be2f1a2161ea7d245c92a2195c8d0bbdf91ab3395ae368c641f044e4f44e8450058ce125ab508b7f9725b08526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
425d43dff34f948b081a4a34199df18a

SHA1
5db08bc4632bc932b0983d51e1875ae8e511a87a

SHA256
4752e36315dedeeeff100eb41a64149d68bba170baf98e7980da60b434df82de

SHA512
5f7a00171cc3b94cf4815816aa45be0453c4771a00e0212004522852092a011f3bf4871f0767a48e8fe29dbb4efa24f427d4f7a5d2612ba52fd605979583d4b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
43e1a708d9b03c4c765b2f29825cd6d5

SHA1
8af002bf46615143c2e51669841371a355646ce5

SHA256
2059b39c1679f4984d0fa7795ef54a65547b9a7b93156ff36e95624460426a82

SHA512
e18c64d2ce03c145eccc0e221cf661b1c2ad76a7e84416ecc67c4cac53679e0b8f4efe309a8bc1860bf5b8ba4f76fc7293fd721e4b48a078a194926d3c69fbf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
c03e1cd15b718ddb51839a91f25a3754

SHA1
36c4f333c827a5d17f755b58eae184b9bd9a1690

SHA256
00f590d636515a88c30659c1dfa4903b941e9be7bd3d5375f2a8bedb765eddcd

SHA512
29a37e70db83e349300c8060cf7c7db9cb4caddc6fd82f50d9643b90f8ec2e218339dd300134214216426707baf417ed2ab0e292c8b40332e678e98c60d18c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
5d5dac3bd7069c45565dfa30c7bc56bb

SHA1
2805011565a21d7f8561a9ddff1e3ef2173f49cf

SHA256
b15b4946865fdca3702505b81006aeedb4bad9d2615c1ed79ff5320b477e74ba

SHA512
7216111348c70b4d12a7cbe5d206862c2259c27ec84d20f0ab9b5cd93b730bceb75f84d720b24b3b85e6cdd518fc1962799d2ae4b50c7c3881a0a5411aabf7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66dbe1cac1f5f8acdad88aa96e4991b7

SHA1
dde1cacce4b3d1c4f2c19b10b2238d0b665f07b9

SHA256
9db06481997dda867d13f0f9f01e638dab5a4759583dea3b6d8444ef9f3d673f

SHA512
513b6a749c8a9640c07b9f4c7201f4d020a9ef42038dd641ccad3f92588d8c86a9b6fc82904b1b61a9b13dbf6a3ddacedbc9d8b3f467094d554e83754adb1b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCAF06697\Setup.exe

Filesize
44KB

MD5
f86507ff0856923a8686d869bbd0aa55

SHA1
d561b9cdbba69fdafb08af428033c4aa506802f8

SHA256
94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

SHA512
6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sciakdzm.dun.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AQ9EJFCI.exe

Filesize
435KB

MD5
e904c82b8fdf5557ee919ef1e8389e29

SHA1
2a1b9dbf779a156a8e4bb3ff1720a561a37c853b

SHA256
6c4fcdf833c8033591dd488b6dd62c0b93dbb80014a3dff84dd260a52b006876

SHA512
24b7300b1699aa678ddf85682d2e8b76a6713ddc3f02c8acc323c8a09546552488f3923cb3bb2f397e09bfed73b6a9503233a8038106312ee831729d04ad99fc

Download Submit
C:\Users\Admin\Desktop\data-Setup\data\7za.exe

Filesize
828KB

MD5
426ccb645e50a3143811cfa0e42e2ba6

SHA1
3c17e212a5fdf25847bc895460f55819bf48b11d

SHA256
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

SHA512
1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

Download Submit
C:\Users\Admin\Desktop\data-Setup\data\bin

Filesize
2KB

MD5
7962313e120c69398a763a1ff2ac0164

SHA1
215645ba6ee318a96d7969c06a57739639a05817

SHA256
25881f2a1e8cd884675d1694e1ddff905864bbf412324573213a6a254d21b5c2

SHA512
9bba21a34ca2a1996c9393e7986858c0c7facebad7a4a155a374270449feb09e7bb398a4e5b5fdbb5904c8b4eb7e3d1e401a6126f7978a9b973ce27a1a157344

Download Submit
C:\Users\Admin\Desktop\data-Setup\data\extract_and_run.bat

Filesize
952B

MD5
fae61599308bbc78cae99ebdcb666f43

SHA1
de0a1d2344b09b29b1040bd4904f604a47a6d8c6

SHA256
f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

SHA512
8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

Download Submit
C:\Users\Admin\Desktop\data-Setup\data\extracted_16611\script.ps1

Filesize
2KB

MD5
99415b8fc82ca4f7f74bb44ff6a3728b

SHA1
71f6ab43986039707a2000e4ce7220adba80713e

SHA256
023cd9c0eeabc40c3724fe2aa3387a14d0baf76cfc7fa78aa9613a0e43e9a390

SHA512
149a48eed0bdc21a851a2d554e2a85371b7f2ea5d36296b6615eae5d57fdfeb755ad6dba5f89e8ec5c3e3ca537019687b3e955f939c39b7484b87e75acb5c0f2

Download Submit
C:\Users\Admin\Desktop\data-Setup\data\extracted_16611\sss.bat

Filesize
405B

MD5
9ca3883fd45a5a455e64704ac6151ac9

SHA1
e7f89032ce544253a51020d7e894f6919fc35839

SHA256
c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

SHA512
e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Download Submit
C:\Users\Admin\Desktop\data-Setup\mapistub.dll

Filesize
218KB

MD5
19f2358e19e6216a1c869fd86cd38df6

SHA1
ec475b62bd4162615509ed1bf597b670392965e6

SHA256
fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

SHA512
c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

Download Submit
memory/2184-390-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-395-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-394-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-393-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-392-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-440-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-441-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-391-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-389-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-388-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-381-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-377-0x0000000005440000-0x00000000059E6000-memory.dmp

Filesize
5.6MB

Download
memory/4448-376-0x00000000004B0000-0x0000000000526000-memory.dmp

Filesize
472KB

Download
memory/4528-345-0x00000208FFDC0000-0x00000208FFDE2000-memory.dmp

Filesize
136KB

Download