vidar | 8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e

Analysis

max time kernel
140s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe
Size

573KB
MD5

017e837d6e14a2412d5b7b385f8bca28
SHA1

3596a371841ec6cad17cdbfcde4425d980cb69e5
SHA256

8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e
SHA512

3aa9e36006182f8e640d8efb84fb505d8449c0d7feea0a803c5e7b283a11603ced81b076016acd15aedb15b0a1f060b7c76ebc53063c8fe9f54be925bf79c855
SSDEEP

12288:5ONjf6etLUrXh2ceG+9LKLdEEo4Edka+9LKLdEEo4Edk:5mfZxMaKLdjRaaKLdjR

Score

10^/10

vidar c466785b3a34d7b3c4d6db04a068b664 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

c466785b3a34d7b3c4d6db04a068b664

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 37 IoCs

stealer

resource	yara_rule
behavioral2/memory/4440-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-3-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-13-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-22-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-27-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-31-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-77-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-78-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-82-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-83-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-84-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-88-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-89-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-93-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-261-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-416-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-473-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-476-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-478-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-479-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-483-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-484-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-485-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-490-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-491-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-492-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-496-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-498-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4440-520-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3796	chrome.exe
3616	chrome.exe
1832	chrome.exe
1620	chrome.exe
600	msedge.exe
4380	msedge.exe
1984	msedge.exe
128	msedge.exe
1528	chrome.exe
4276	msedge.exe
4164	msedge.exe
2592	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894745947348194"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
3796	chrome.exe
3796	chrome.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe
4440	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
600	msedge.exe
600	msedge.exe
600	msedge.exe
600	msedge.exe
600	msedge.exe
600	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe
Token: SeShutdownPrivilege	3796	chrome.exe
Token: SeCreatePagefilePrivilege	3796	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
600	msedge.exe
600	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2340 wrote to memory of 4440	2340	2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 4440 wrote to memory of 3796	4440	MSBuild.exe	79
PID 4440 wrote to memory of 3796	4440	MSBuild.exe	79
PID 3796 wrote to memory of 3100	3796	chrome.exe	80
PID 3796 wrote to memory of 3100	3796	chrome.exe	80
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 620	3796	chrome.exe	81
PID 3796 wrote to memory of 336	3796	chrome.exe	82
PID 3796 wrote to memory of 336	3796	chrome.exe	82
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83
PID 3796 wrote to memory of 1776	3796	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_017e837d6e14a2412d5b7b385f8bca28_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb8f2dcf8,0x7ffdb8f2dd04,0x7ffdb8f2dd10
      4⤵
      PID:3100
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2200,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2236 /prefetch:11
      4⤵
      PID:336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2536 /prefetch:13
      4⤵
      PID:1776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3260,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1832
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3616
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4308 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4476,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4724 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5296 /prefetch:14
      4⤵
      PID:1816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,12762097018898661431,11833390936290022885,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5392 /prefetch:14
      4⤵
      PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ffda839f208,0x7ffda839f214,0x7ffda839f220
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:11
      4⤵
      PID:4132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2440,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:13
      4⤵
      PID:580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4196,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4204,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4220,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4216,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3668,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:14
      4⤵
      PID:3260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4932,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:14
      4⤵
      PID:3616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:14
      4⤵
      PID:1856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:14
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3564,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:14
      4⤵
      PID:3480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3564,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:14
      4⤵
      PID:2176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6704,i,2481944791131249587,16059363019269525379,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:14
      4⤵
      PID:3864

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5x47y\5fk68q

Filesize
288KB

MD5
f3903c96685ce3a448c1b679dd711ab7

SHA1
38f585ac361c48030117ba38cf65320502b8c1fa

SHA256
0c39b109a5d997af9ac2c3656aa931342021a9202bf8ada47c33d818ab6dc46b

SHA512
70d9de7ad7894ba4f0cffbe4c8e60e1284e2fc3405f3ac0f471837e0ab9ec410fc6e18cb344f3e7c0b52f74dcca1475d5f45baa252ac0d4b01a9170a60ae0d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eea0b47d6fa61f459981fdf5fcba1e20

SHA1
aceae2b3944e4ec1f189dd2c41744f3d1ba87742

SHA256
1505288e4bf99c5ed518510d81399caa927fd9bc4b87582e6d02761c0d385383

SHA512
14f4cc2f4e8a4576329142bcc74af5a3fa8cac26f3d8ccc02ed77cc389473493015cd506ed7994728ec69c006eb230be08a2ceada09f573c333f839e39864a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
698944b9e93ed0bd2d92a34c19c77b9d

SHA1
a728c06d364cee1310466425274dcc5bf0a3d301

SHA256
90f50077d880ae23e113e5ff83e4e3f2a910f003225e37e08497cbe3a2be5247

SHA512
b3652832df06cbc783f357ed953f786c3fab45048ab9ffc8100ef2cdabbda52a76c782dd1cdbabde55f09c446c8c66ad3861b6a9f6b397801a1849655c63556b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
19a247f5884c6ef93cb894bc01475095

SHA1
7bd4b9e3658678a6269a40161aeac29477a3e2f5

SHA256
c4234c33a6ba4bdb7e2e16d3ba0d1da09064e11397ed43aeec3a36f13276ffb5

SHA512
9909f1cdb5316f88d60c65dc5d98e019218b2e2828398fcc501d5ccd01d50f0af9fccce3029f6f622e6bdf31b9f02a95aeded3b40a2ebf035cc74e1ce4928858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
069bd798917e483f4b8078616c6efcb0

SHA1
2bfae68c9b49a3d97d087dd89b3e4c9235a6e7c9

SHA256
470dab81bc47ccd16bce8aa76c0500b1ce152839df80eda4b3de4cfdd9f2da93

SHA512
7964ddd4bade861d744138593a684399508868d531c6da763a6028ac1ba96a7f2e9c8b79a280a25e9cc8a01406f3ca1387a5d2fd74ab6942092cdfe008013da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\4af9721e-9956-4269-a2e0-f60fad8d4d43\index-dir\the-real-index

Filesize
1KB

MD5
68c79b3ac1866fd64e2f2c4763f7e78b

SHA1
f08e83ccf50be64ce1f635c5818cefd3d11ad67f

SHA256
7bb6d1881397d2a4e0acbf94ec2ef9d8d696d0e38e287e41934195078c8d74fe

SHA512
130b666a3eeed67a76240c71e33f6bbcec20134fc7dccf25848f8db9e8e34a4f226b08d80c76b60c1c4075157fcb726f571b8ed90ae656ed8e4d2e83dc805a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\4af9721e-9956-4269-a2e0-f60fad8d4d43\index-dir\the-real-index~RFe582f0a.TMP

Filesize
1KB

MD5
e41e3fb155179dfec42d5836b23936c4

SHA1
15d0ce0b2f613e477858bf84bfa97a6c2e26d3cb

SHA256
506ae20359ba5e1a2d19892692baec1d5f864886592ccf93855f5d56817f972d

SHA512
8fecedfc5a32f3a90d06446953466027ffb94c48eae89a1f4a5e2227bbfd564d30518cbcf13ab20a91fe530fff6eeb703148966accb93911120ba324c2dbeba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
15ecb738b65b9c010d64f60fd93f753b

SHA1
5905d78a560417e2a548a477a724beaaca3818ae

SHA256
2e038dd8e22ef87316f3c529bf9fa5cf0e88666e1a417cfb9153270fa4493069

SHA512
b01824dc52a2a9eb769d87e1c65edb9abf05e94b6d5a70350f9bc888997e3eb5c3596ad3a347f3d226970c436a95fd2e9fa71b86367a7c415e2be2d64eca2f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
a4daa10ec0a892969bebb88cfb5bd683

SHA1
87b3c9c73fb41c93fee3cb85b956b10356765f52

SHA256
5bfa4719a23d5406299fba2b575303ff87966fadd9a884ef66701b003a151164

SHA512
620bfc143c1f40c6c4ff2a57b9cded32db2889e6b4f83b0dea669cfef455e2635f175784cadb7b60c42432ab0cf5fbbdaa0abb6ed67f17ac3ece28e176663b6f

Download Submit
memory/4440-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-82-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-83-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-261-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-416-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-473-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-476-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-478-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-479-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-483-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-484-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-485-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-490-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-491-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-492-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-496-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-498-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-520-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download