vidar | 8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e

Analysis

max time kernel
124s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe
Size

573KB
MD5

017e837d6e14a2412d5b7b385f8bca28
SHA1

3596a371841ec6cad17cdbfcde4425d980cb69e5
SHA256

8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e
SHA512

3aa9e36006182f8e640d8efb84fb505d8449c0d7feea0a803c5e7b283a11603ced81b076016acd15aedb15b0a1f060b7c76ebc53063c8fe9f54be925bf79c855
SSDEEP

12288:5ONjf6etLUrXh2ceG+9LKLdEEo4Edka+9LKLdEEo4Edk:5mfZxMaKLdjRaaKLdjR

Score

10^/10

vidar c466785b3a34d7b3c4d6db04a068b664 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

c466785b3a34d7b3c4d6db04a068b664

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 36 IoCs

stealer

resource	yara_rule
behavioral1/memory/6024-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-3-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-20-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-28-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-65-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-75-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-76-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-77-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-78-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-81-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-82-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-86-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-87-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-91-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-717-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-780-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-791-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-794-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-796-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-800-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-801-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-802-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-803-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-804-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-808-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-809-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-810-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-811-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
6092	chrome.exe
5184	chrome.exe
6052	chrome.exe
3596	chrome.exe
5100	msedge.exe
1676	msedge.exe
4504	msedge.exe
1572	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5992 set thread context of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894745909939677"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{A97B339A-9C95-483C-B34A-A3A818AB7CD1}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
1572	chrome.exe
1572	chrome.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe
6024	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe
Token: SeShutdownPrivilege	1572	chrome.exe
Token: SeCreatePagefilePrivilege	1572	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
1572	chrome.exe
5100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5992 wrote to memory of 3460	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5992 wrote to memory of 3460	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5992 wrote to memory of 3460	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	88
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 5992 wrote to memory of 6024	5992	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	89
PID 6024 wrote to memory of 1572	6024	MSBuild.exe	97
PID 6024 wrote to memory of 1572	6024	MSBuild.exe	97
PID 1572 wrote to memory of 2468	1572	chrome.exe	98
PID 1572 wrote to memory of 2468	1572	chrome.exe	98
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 6040	1572	chrome.exe	100
PID 1572 wrote to memory of 6040	1572	chrome.exe	100
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 944	1572	chrome.exe	99
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101
PID 1572 wrote to memory of 2868	1572	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff90f8cdcf8,0x7ff90f8cdd04,0x7ff90f8cdd10
      4⤵
      PID:2468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2020,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      PID:6040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2560 /prefetch:8
      4⤵
      PID:2868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3272,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4280,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4320 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:6052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4532,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3596
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5312,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4916 /prefetch:8
      4⤵
      PID:3744
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5476,i,12295912119485054950,6781956798378473889,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5488 /prefetch:8
      4⤵
      PID:3420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff90f8af208,0x7ff90f8af214,0x7ff90f8af220
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:2556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3572,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:8
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4876,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:8
      4⤵
      PID:5664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
      4⤵
      PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5760,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5760,i,4779689629076146210,6337726771134661671,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:8
      4⤵
      PID:2072

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
b40903cc8621156dd03fc4d9cd87107a

SHA1
57c7074fc7fc45b08d4fc12ec433a8116535df92

SHA256
02c3d1229d22a9279c6043b7e5151b50b3c4570b71f5c134341ee1d4519f1055

SHA512
d836a46d12f727414bf1e718c9c1bd6d622711f7e135f1749ff451ff504977e224236456fa888bb77db3118da58e1199dcf8c4d10200811b5bb7b1bc7e46d9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
11c2e57893fdcb482f797383bade88cf

SHA1
8f77e7929ebcfc3c67e97074a08ecb65f95ba680

SHA256
80407a6b2be14d303f99aa7ed0cb6f53855c28d8c057b4ba74d8a030ab571c16

SHA512
c57cbb7a3a60b2c9d8c00ebf2d64a5460a385b04a33a52a69de000e1227cdebdf43ecdb37c7fc084e6d867e6a96b83ad72f204f8fc097cb71c4cbf286ed75cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
19813ff3ea515fb9bcb22288271f6a8f

SHA1
ffec3120a3457d595c616249b1b4ab67768eea1b

SHA256
997439931cb56ea345007c109f7519817a68b04665b172dc129cde8a0242c5ea

SHA512
38c832d175da25df23f09376c091e84fd2dd560f370a62719154ee2d206696cbe5fb5b0768204112f573c6bb3b70d32ce7911a9d7302ef5ce8fbd539cfb8c635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
cc3d4128535fa14bb315d8d7f7f852c6

SHA1
97bb92696840c33e668df07fa6e7d8709b40a174

SHA256
93a4634596bf70d8829f46b28bbd0397afca6ce994856ee918a5a86be91a113f

SHA512
15eeb8800f1cd7712c1f50930149c2dbadcad3be71e062c619c562df6504b2c0bc43660566427bcb3e85e558724e64c4da1bebdb29953980e4351491e4b510ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
fd35344054fef6a0b4dd978ec60c2a27

SHA1
aa70911bfefba01d4d8bd3017b5d4854a8c49ac5

SHA256
0cf87bd99742e141216855128b40727790692a20fa2dcd3a1eafeed7bc19c99a

SHA512
e8df39ccafa8d6c30d160e0a320b12befc1bbc2cdbd91e6b612d728a05e0c60438f918e343db6a909fc4b9ad7193d47a73313f8a1e0884cae80228fc74c564d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
21KB

MD5
2aa2ebc3c0d1c906a8d7acc99e32107a

SHA1
ca0a749a9f3ac4d71e0a746734497263f2448f50

SHA256
7734d7711605c30f59918762cfb17e136f519aafe0138f11da4f99701f872cc6

SHA512
94ad61d16fdaae6e9e93edd4636dc5720a4a49790ff99ef868d628e233ae599ad41023c6513376509c65e70fee9583cbcfc12444994c2dc96d7e3a400f60aef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
794a7852bec30eea56e852ce90fe3d35

SHA1
c9f5883450bbeba16136ee3c06d29119e9439273

SHA256
cb5924ae0f2e36704cc353d3feb88dc17f74a8f510f025e8ef3f00b7bf1cad5b

SHA512
035a41636dcc36260ee95cae2e4a5f6cd195483a6402afa263a1b2be279fbfc3fded1dbc4b24a5580cdde0299d7a3ce120b58afab01a76a3a909dcc132fc899d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a6af2555b69855b4a84356e5ad8e9fd7

SHA1
1de7a5d8a766d0eca5bfd92a91954e98f6d6e70a

SHA256
04ee4d5ee40d5c0817767e34dd874a82ed785924af9f5331e27514985584ab08

SHA512
3252c9a27619c498fe0f54c43d16c54f18669a07a1873c83546c4c709fae200f1cac78f0628580eed2b8c241f28b60af1df1e04e65fea063e90e67b4cd61e5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
aad03e712e961d5fc31cee1f392df778

SHA1
72e55fdfe174111c8cdeff106565558377fc71e8

SHA256
63a8db6136543363301de9669ff546f6ee00bbdd56478b8340ebbed2651f280e

SHA512
8123e0e55657924948d9c393cfa66c18f8d0522d9b48698d483842dc0f6fa0ab8670f1d1669029edcc42dd302f46fe2a76f23c7a4eeb98692fade8ce7e77e0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
816ede8e10f17d7a44914babd1e1d7b2

SHA1
bbca308e671a3ba2434dd3816f69fb2a0e5915ac

SHA256
366b7093f7d019010ab99291ecdc52b00c033b4767a3e0ce1fafd97168e572b2

SHA512
fc44b6122ddc345d654bbd7d7b7eec12e438e51c658883377e68f4880340d6e1cac3893f50e6fd206c85d741ce1da59ca3108706b59aba28f8e16d03f768ddd7

Download Submit
memory/6024-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-81-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-82-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-717-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-780-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-791-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-794-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-796-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-800-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-801-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-802-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-803-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-804-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-808-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-809-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-810-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-811-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download