stealc | 97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb

Analysis

max time kernel
81s
max time network
170s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
12-09-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe
Size

283KB
MD5

3745160eac67b0511940bad6f7811903
SHA1

287cac8a4cb9a0f873681ae3a5795b94929a9dcc
SHA256

97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb
SHA512

6e0dca82e029ec58fbb1e66128d2dd4c139d55330eb1e142e4f4cbfa64986e23c609f73dfd364aeb2e460c6351b4fb28197b1c493a48e4244ea7f1f015847056
SSDEEP

6144:m6sqWNwaUUHgjHB7cY98ojNiWRz0Qx8aAkeqqokVsozY9ulJz2TJXMEO:mNPg9njNVHx8wero3un0J8EO

Score

10^/10

stealc vidar default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/fneogr

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/3128-3-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-6-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-7-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-16-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-17-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-33-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-34-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-61-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-62-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-69-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3128-70-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-129-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-131-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-133-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-215-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-224-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-264-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4912-267-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-274-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4900-275-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
4272	KKFHJJDHJE.exe
4328	YZDFIP13I9T9A9814C49.exe
4880	DBGHDGHCGH.exe
2896	CFCBAAEBKE.exe
704	AdminHIDAAKEGDB.exe
912	AdminGHCGDAFCFH.exe
4112	4P0TPPVHQR.exe

Loads dropped DLL 4 IoCs

pid	Process
3128	RegAsm.exe
3128	RegAsm.exe
4360	RegAsm.exe
4360	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3608 set thread context of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 4272 set thread context of 2308	4272	KKFHJJDHJE.exe	82
PID 4880 set thread context of 4360	4880	DBGHDGHCGH.exe	87
PID 2896 set thread context of 4912	2896	CFCBAAEBKE.exe	90
PID 704 set thread context of 4944	704	AdminHIDAAKEGDB.exe	102
PID 912 set thread context of 4900	912	AdminGHCGDAFCFH.exe	103

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\4P0TPPVHQR.exe	RegAsm.exe
File created	C:\Program Files\Google\Chrome\Application\YZDFIP13I9T9A9814C49.exe	RegAsm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	3608	WerFault.exe	70

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBGHDGHCGH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFCBAAEBKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKFHJJDHJE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YZDFIP13I9T9A9814C49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGHCGDAFCFH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHIDAAKEGDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4P0TPPVHQR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
792	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
4360	RegAsm.exe
4360	RegAsm.exe
3128	RegAsm.exe
3128	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4360	RegAsm.exe
4360	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4912	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe
4900	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3608 wrote to memory of 3128	3608	97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe	72
PID 3128 wrote to memory of 4272	3128	RegAsm.exe	76
PID 3128 wrote to memory of 4272	3128	RegAsm.exe	76
PID 3128 wrote to memory of 4272	3128	RegAsm.exe	76
PID 4272 wrote to memory of 3020	4272	KKFHJJDHJE.exe	79
PID 4272 wrote to memory of 3020	4272	KKFHJJDHJE.exe	79
PID 4272 wrote to memory of 3020	4272	KKFHJJDHJE.exe	79
PID 4272 wrote to memory of 2928	4272	KKFHJJDHJE.exe	80
PID 4272 wrote to memory of 2928	4272	KKFHJJDHJE.exe	80
PID 4272 wrote to memory of 2928	4272	KKFHJJDHJE.exe	80
PID 4272 wrote to memory of 3156	4272	KKFHJJDHJE.exe	81
PID 4272 wrote to memory of 3156	4272	KKFHJJDHJE.exe	81
PID 4272 wrote to memory of 3156	4272	KKFHJJDHJE.exe	81
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 4272 wrote to memory of 2308	4272	KKFHJJDHJE.exe	82
PID 2308 wrote to memory of 4328	2308	RegAsm.exe	83
PID 2308 wrote to memory of 4328	2308	RegAsm.exe	83
PID 2308 wrote to memory of 4328	2308	RegAsm.exe	83
PID 3128 wrote to memory of 4880	3128	RegAsm.exe	85
PID 3128 wrote to memory of 4880	3128	RegAsm.exe	85
PID 3128 wrote to memory of 4880	3128	RegAsm.exe	85
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 4880 wrote to memory of 4360	4880	DBGHDGHCGH.exe	87
PID 3128 wrote to memory of 2896	3128	RegAsm.exe	88
PID 3128 wrote to memory of 2896	3128	RegAsm.exe	88
PID 3128 wrote to memory of 2896	3128	RegAsm.exe	88
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 2896 wrote to memory of 4912	2896	CFCBAAEBKE.exe	90
PID 3128 wrote to memory of 3516	3128	RegAsm.exe	91
PID 3128 wrote to memory of 3516	3128	RegAsm.exe	91
PID 3128 wrote to memory of 3516	3128	RegAsm.exe	91
PID 3516 wrote to memory of 792	3516	cmd.exe	93
PID 3516 wrote to memory of 792	3516	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe
"C:\Users\Admin\AppData\Local\Temp\97eb9202d98aa1d2ff12cbc779f715c8262b1c2281128b7ba26df7d1ed4930cb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\ProgramData\KKFHJJDHJE.exe
    "C:\ProgramData\KKFHJJDHJE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Program Files\Google\Chrome\Application\YZDFIP13I9T9A9814C49.exe
        
        "C:\Program Files\Google\Chrome\Application\YZDFIP13I9T9A9814C49.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
- - C:\ProgramData\DBGHDGHCGH.exe
    "C:\ProgramData\DBGHDGHCGH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIDAAKEGDB.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
      - C:\Users\AdminHIDAAKEGDB.exe
        
        "C:\Users\AdminHIDAAKEGDB.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Program Files\Google\Chrome\Application\4P0TPPVHQR.exe
        
        "C:\Program Files\Google\Chrome\Application\4P0TPPVHQR.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGHCGDAFCFH.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Users\AdminGHCGDAFCFH.exe
        
        "C:\Users\AdminGHCGDAFCFH.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
- - C:\ProgramData\CFCBAAEBKE.exe
    "C:\ProgramData\CFCBAAEBKE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECFHCGHJDBFI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 844
  2⤵
  - Program crash
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\YZDFIP13I9T9A9814C49.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\ProgramData\CFCBAAEBKE.exe

Filesize
282KB

MD5
3a507b0b6463481cbb8d248efa262ddd

SHA1
97cc6f79eb1352660997a2194d7d3c9e1aff7a0e

SHA256
fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56

SHA512
4e0abe7ecd536b25146a663ebc49afd955727d32e2e01a6b7305afec79decbc649e95e841d18e226e346eb4d1e91228c215888c1ffb5363d888f6a1a6fed57a8

Download Submit
C:\ProgramData\DBGHDGHCGH.exe

Filesize
206KB

MD5
f24d1ef9ffb8be85e5b7f03262eb2e88

SHA1
ca80ca5aa19037b424f73de09d52f079032ea546

SHA256
c98f17dd444209ad0a6d71221b67cd632bc6409686f750bb5118a7e42eca91e0

SHA512
4b0ddd0ad28f7fd30324add6623f399dec43df33d0e9bb24788c0d0e96c1b2f25b96644b5320755299b1d2fb66e4417a0402fd6729d3ed33aec2117c485c3567

Download Submit
C:\ProgramData\GHDBKFHI

Filesize
92KB

MD5
64408bdf8a846d232d7db045b4aa38b1

SHA1
2b004e839e8fc7632c72aa030b99322e1e378750

SHA256
292f45b8c48293c19461f901644572f880933cbbde47aedcc060b5162283a9fe

SHA512
90c169dbae6e15779c67e013007ac7df182a9221395edd9d6072d15e270132a44e43e330dfe0af818cf3c93754086601cd1c401fb9b69d7c9567407e4d08873b

Download Submit
C:\ProgramData\GIECFIEGDBKJ\JJDBGD

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\GIECFIEGDBKJ\JJDBGD

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\GIECFIEGDBKJ\KJKJJE

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\IECBAFCAAKJDHJKFIEBG

Filesize
6KB

MD5
dc5ebfb2db9e624be525ef1c71ba83e0

SHA1
0e6f7b186d42fe16728bfb8b2c48e77d5d46753c

SHA256
713743f0b529ec8bc49c54ceb3ef09dce9887f4cb9e04b55961bbf22208e94ff

SHA512
48a74f01a41027301c6164b18d665f338ce518aea07824f8b05931f54a6ba32c551831df62a16577251a4cb65baf01a03eafc955419dee42d097a66ab5b656f9

Download Submit
C:\ProgramData\KKFHJJDHJE.exe

Filesize
328KB

MD5
55f1d65ca0130c6a8cba2f206b4b0e36

SHA1
9ef2f827c92f21f375a50ace8faf72f5b9083ddd

SHA256
efe0690c0cc62906989a9e2bbc6e697046b093624e02e15d0e63ea7aa0186884

SHA512
8aaa0f9cff3bbdf3bd94735f5282338c088ebefcd21bb3d8982645aa06614e71cde9f7d38673433e3fe41bb959f4c995e42a36aad269de8ac286104de4eb3eac

Download Submit
C:\ProgramData\freebl3.dll

Filesize
36KB

MD5
dbd3d9d59f6d2dde15f3e9aed8f4a55f

SHA1
152fed5cf6ae66356a109677e6ef592864e740c1

SHA256
e0e77ac61908ce88766708e7f84c3ae7a0fcf4ab55d0e52864e22c0253dfa20a

SHA512
3b46b909d7634274e5676a1ff62699d7d41862f7a3753edb65db2e1c59f2f329da23eea26c79b81477197cd4c8c9acf9358a62643bc4ce92132176f742173f01

Download Submit
C:\ProgramData\mozglue.dll

Filesize
103KB

MD5
d2d68eb961d2b6a79a4e1ce390ee4bc7

SHA1
cd9f4c1edf01437732d444915bdc3cf104653363

SHA256
ead39014c490aa0d0916ac4b2fa4d6f9cb7bc6cf6f96808ed6f3577802174f4b

SHA512
bd97a198368b27d048a574652ce4f6f781d3befce9e7351390b05dd40dbbd7f5f79938edb21fdfe00bd5906e99787b37933320dfd0d6a19dd24eecd26cb833d9

Download Submit
C:\ProgramData\nss3.dll

Filesize
5KB

MD5
fff8bb74ff31eb63f0386737a00b6d0a

SHA1
eaf6b3268e69a783aee4f97c4a2daa9bd153d6fe

SHA256
fdbb1e867d9aff33fa30c8e2d1f0cf18faa97c27851767720035b05e67100cc6

SHA512
dc77574ca6d10edc96901776022b1d10bd2b0295647c61ea97dd806b744a217d807edbea13af13fbd458a3f3c8553924df46d4ebff829a02f191c63142f6699a

Download Submit
C:\ProgramData\softokn3.dll

Filesize
97KB

MD5
2a519486c5e68bf067db2654de94090f

SHA1
d9e4404dee78d2fb5809b8911c706cf228788e9c

SHA256
3d8ee463f2b7f2e85bf1c7c744540f4e3b4fbe6f256d28c1c00498012d5f81bb

SHA512
5c68fc8cc9e45d0c753fa666c5da125a9645752c414a4450772053166419a68cd0d1b5fa8badbffe24546eadf1f2c290c4fecaa8f07431d4308dbc9c89beb3a3

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF40366512890989_8A726233B0F9B64FE822B7A4065CB375

Filesize
471B

MD5
cecf9e39987128b205ec741afbac86d1

SHA1
1599deaf71c3c5ec61afc7f7b14575face03e409

SHA256
40cb238f64b6d464f297878f2389d1223b1417f493f488c1d55759df7f8a39c2

SHA512
92243e1a2993034f3b57cc60aecf57aac98e1e5a0e177b35ba981534dec72990b1ac72c01b439b3826871d88bcd2977febb417749d1b276bdb28b56493959c25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
3eb397a524d6b064f4130d706bbb32c9

SHA1
b79b1169cc971f21308e91af43a295c9cefcfd71

SHA256
ba7c039a117bca61feb4ede0876ff545248209cbcc30a8b08f4e84e894227a22

SHA512
40015805e1a585aac7c4a07a95a00f3808d99eb6080cd642dfe13d3a735f69dc54ed7381aa9cab498192c8af792c663ae4647597fd82cd96967cad464c5e75a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
8bd5a49df494d8ec0e300e48bc5ccac7

SHA1
1a5a88b912d7533e5f9d23c923c15e1a6e18a87e

SHA256
261b931e89a697f15f35ebe38faf32cb8b67ac3fe628ec8ac860c0e6e9b01464

SHA512
0e36c0c7ef6abe353ab46efccb296129239b355f873c8cf40ca210be2f6f5d2da89c1e6a5dc260beab7207529e9422748b87b04c7d72bce43b5b7342c4f7b6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
2KB

MD5
ffec8069cabce0949aaee67665624e67

SHA1
d449a98b34103a9e80740ed9d7593c8115c3dc75

SHA256
340d048d7f46e25d83d97affa98d53d773e83e070b28ed67ea3472362a0a2993

SHA512
770d7b72772940699b4fb66ededa53a02fe580c5fcc5e050e2798e8e065c7a3505886d91d3ce05172e1d5c942069297934dd3c8c52f9e3d2be8f5d0c1ab851d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
67db8c5d484fe0b60abd574b0480e4c9

SHA1
bafea8ad167114a72854bfe78095155bb7c44f89

SHA256
5d2c8933104167dece16b77357813d01c861d0c00176057ab8fe93222b51141d

SHA512
5d71a6271cfdcbef50f51c083f1665baaa59e7d927051ec96086bc68ceb2334227d620ee777237fccb3954ae1a1691f79d7f73335e7c95179591a1cdd0e9c844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
267213063373c723fc10225ef5c35205

SHA1
405c393523c0341b508bed3bef206e10060aacd5

SHA256
fcd368cd3608e36d7cb22c98ea40b5c77feec34a08719fa136cef6db5e2036ec

SHA512
3a7cbd0ff672feea120d61c9b820727ec35a9345c5e6c5678e5140e1375a6881419e82a2b54528f39c4241bcdbdec3bf89c28288b217dfbb2d21ff8399c59032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF40366512890989_8A726233B0F9B64FE822B7A4065CB375

Filesize
490B

MD5
23fac6b5fbf24ece0324fa1c3a4a0a5d

SHA1
599e8b7ca18e2198d4c7c69f46c9a26832e6f0f1

SHA256
f1efb91a07ca5bdb81ffc4b329defdfdc22ffa36443b5518833da0ae5d71da34

SHA512
6e813d025764bd82b7b0b043dd72499136948df8edb22dab70448b9d81838b07f5a1fd078e58a1f52d4e488db6f9f7a2b04d2dfdda42aa444134fb132892e73b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
76e403f33c60b0c2cbd9962e1c12801c

SHA1
6d0bb2d025a9380cc2586f2578e8da8455cf27fe

SHA256
137f679229b2a81a7c7458913fb0aea3a262a08aa2ec20c29a6b59d70c0520c8

SHA512
15e47701256adbe3496936c0deba342354b013e8b5a257cdc0b6638cacfed4d0a3969cc3a59048af37a3a70e1bdd4fe2f421afe00b24536577cdd8a81a0cb8f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
b1f9fe77436e42f00cf6f3972fc705c4

SHA1
983b58b87da6025d85814f6d0f9cce5e1111af48

SHA256
5fa879a3326a079091a63f9e61da555689ce2897b31d0a11a101084a07b413fd

SHA512
a50736f0ec60d180201a31afd3b17110e908ee5c53d2ba6bd1363ae52510df4ed904115ea09a04d2223c8f3641fc6a4db235d5231c8ec7cc098d791906dbd375

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA

Filesize
482B

MD5
19888a1e63a32ce278d6117bda9bd116

SHA1
a3250cf429ddc0b0b0fd74271e34d1f1a7f5a7f5

SHA256
5298264ff8dad75bb00f0f05395030f9f64a91ee794aad320801b4c77eb1284e

SHA512
4184b211d25e4e21ff60cdd2a380dc912a7d35be25fe6d42bcfff7fc6ebf2b1c77f8c26407dc7c07c15be211d89220b081c899200fb39cbd461af9fc974c6267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
4b0732a33fdd822e342fff1036cc61ab

SHA1
4afee834c14152037673a78e750c77570b53cd16

SHA256
26c589b2ba445faab368145d41bf8b5e72a7eda044cd891dc167d94148ffb22b

SHA512
f0155d40041f8f0942acafa5aa9c5db7de298d8ac8931dde7294e7c99ba37fd5ce758ad67fb4b4e7b4b05fb67b747bdc4f6d1dfec9120fcb9acba553f53c95e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
2ad43296480552a1e271edd0a0aba050

SHA1
f27929455dc64d9ae0be6e94e93f086768cc1d61

SHA256
1ddf13fa289740584cf61ed4f2e8f6234a716a85b8ac3a26d0e1665b3af5a06e

SHA512
ce3c7e8f63837109940d933c99fe7ae5da4534a4d6c3a3bc7425a954eb29ffd2acb0e3a3e14d612f5c6292b71a3e31d82e598e84a603ae4df59da96ccdb979da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminGHCGDAFCFH.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AIFFRYPV.cookie

Filesize
103B

MD5
bf68111a655108e724d4e1b86d558de0

SHA1
57278ef8bed1f13d5df6883289921561fb60becf

SHA256
b6f48eb23990c3ce7cc774adc057c2594ced978c34993cfde8d839540e5e07bc

SHA512
e6b549d71164f4b4ca00022df67ddb7484192676fc5a117bcd4c7f7ec4ab2be15e0665a8181edd9092da90007177f15123f0f2840b0c8ef684965ee6dc130c7f

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2308-93-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2308-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2308-91-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2896-126-0x0000000000060000-0x00000000000AA000-memory.dmp

Filesize
296KB

Download
memory/3128-62-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-17-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-3-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-6-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-16-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-18-0x00000000223F0000-0x000000002264F000-memory.dmp

Filesize
2.4MB

Download
memory/3128-33-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-7-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-34-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-61-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-69-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3128-70-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3608-10-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3608-43-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/3608-42-0x000000007370E000-0x000000007370F000-memory.dmp

Filesize
4KB

Download
memory/3608-1-0x0000000000160000-0x00000000001AA000-memory.dmp

Filesize
296KB

Download
memory/3608-0-0x000000007370E000-0x000000007370F000-memory.dmp

Filesize
4KB

Download
memory/4272-87-0x0000000000330000-0x0000000000386000-memory.dmp

Filesize
344KB

Download
memory/4272-97-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/4272-101-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/4272-88-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/4328-103-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download
memory/4360-115-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4360-117-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4360-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4880-112-0x0000000000120000-0x0000000000158000-memory.dmp

Filesize
224KB

Download
memory/4900-277-0x000000001FAA0000-0x000000001FCFF000-memory.dmp

Filesize
2.4MB

Download
memory/4900-274-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4900-275-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-131-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-267-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-264-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-250-0x0000000022980000-0x0000000022BDF000-memory.dmp

Filesize
2.4MB

Download
memory/4912-224-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-215-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-133-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4912-129-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download