vidar | be442a04bc031b4dc72835efeeeb025e9a103c8012382173965fba30bd3a96b9

Analysis

max time kernel
22s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

283KB
MD5

ac7314c596e766b8f4f368579e2e0f8f
SHA1

0e4941e5e4299d04b9408194542c7362bcabcd2f
SHA256

be442a04bc031b4dc72835efeeeb025e9a103c8012382173965fba30bd3a96b9
SHA512

4258b6d15cd1c87d1787507f9132e5cf2caebfbf46dd055950dec8bb55faa094571d5b88cc58078adbab49f72fd3439f14ccae04de3d4bde672a540699a49428
SSDEEP

6144:DjacaEk/a7rOXYSjyZ6bNEl3ptRZjZLXksRKAylE//0Cw9EO:XzaEu2iZjyZ6b03ptRFZTFKu0CsEO

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/2552-17-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-14-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-12-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-9-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-8-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-6-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-158-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-177-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-207-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-226-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-357-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-376-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-419-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2552-438-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2012	JEGHDAFIDG.exe
2992	BAKEBAFIIE.exe
1556	DHJKJKKKJJ.exe

Loads dropped DLL 14 IoCs

pid	Process
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 2552	1544	file.exe	30
PID 2012 set thread context of 1348	2012	JEGHDAFIDG.exe	35
PID 2992 set thread context of 2168	2992	BAKEBAFIIE.exe	39
PID 1556 set thread context of 2784	1556	DHJKJKKKJJ.exe	42

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	1348	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHJKJKKKJJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JEGHDAFIDG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAKEBAFIIE.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2316	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2552	RegAsm.exe
2552	RegAsm.exe
2552	RegAsm.exe
2784	RegAsm.exe
2552	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 1544 wrote to memory of 2552	1544	file.exe	30
PID 2552 wrote to memory of 2012	2552	RegAsm.exe	33
PID 2552 wrote to memory of 2012	2552	RegAsm.exe	33
PID 2552 wrote to memory of 2012	2552	RegAsm.exe	33
PID 2552 wrote to memory of 2012	2552	RegAsm.exe	33
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 2012 wrote to memory of 1348	2012	JEGHDAFIDG.exe	35
PID 1348 wrote to memory of 3044	1348	RegAsm.exe	36
PID 1348 wrote to memory of 3044	1348	RegAsm.exe	36
PID 1348 wrote to memory of 3044	1348	RegAsm.exe	36
PID 1348 wrote to memory of 3044	1348	RegAsm.exe	36
PID 2552 wrote to memory of 2992	2552	RegAsm.exe	37
PID 2552 wrote to memory of 2992	2552	RegAsm.exe	37
PID 2552 wrote to memory of 2992	2552	RegAsm.exe	37
PID 2552 wrote to memory of 2992	2552	RegAsm.exe	37
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2992 wrote to memory of 2168	2992	BAKEBAFIIE.exe	39
PID 2552 wrote to memory of 1556	2552	RegAsm.exe	40
PID 2552 wrote to memory of 1556	2552	RegAsm.exe	40
PID 2552 wrote to memory of 1556	2552	RegAsm.exe	40
PID 2552 wrote to memory of 1556	2552	RegAsm.exe	40
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42
PID 1556 wrote to memory of 2784	1556	DHJKJKKKJJ.exe	42

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\ProgramData\JEGHDAFIDG.exe
    "C:\ProgramData\JEGHDAFIDG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 252
        5⤵
        Program crash
        
        PID:3044
- - C:\ProgramData\BAKEBAFIIE.exe
    "C:\ProgramData\BAKEBAFIIE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
- - C:\ProgramData\DHJKJKKKJJ.exe
    "C:\ProgramData\DHJKJKKKJJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KKKKEHJKFC.exe"
        5⤵
        
        PID:2264
      - C:\ProgramData\KKKKEHJKFC.exe
        
        "C:\ProgramData\KKKKEHJKFC.exe"
        6⤵
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\GIIDBGDAFH.exe"
        5⤵
        
        PID:1588
      - C:\ProgramData\GIIDBGDAFH.exe
        
        "C:\ProgramData\GIIDBGDAFH.exe"
        6⤵
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAEHIEBGHDAF" & exit
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FIDGHIIECGHD\DHIEBA

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\FIDGHIIECGHD\FIDHCF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\HJJKFBGC

Filesize
92KB

MD5
9dacdf7238269810f4c56455bc02a2b5

SHA1
a4fdddc32f512bc7b3973b0026a65c61f0c09823

SHA256
96b70070ce33ffeec40bed34dbbed3b79b32d709e5f0c422ce4448b2574a8d8a

SHA512
05214bc2eea84586a19a35713a5132a2453ff6dc9b6bfa1304fc2fc9e89e05d250378102b04c692004c38d4caa1a334cdc01b827f0cfaee9d276cbd6ea95cd47

Download Submit
C:\ProgramData\JKJEHJKJEBGHJJKEBGIE

Filesize
6KB

MD5
414b22ca6874059c455de301505d0135

SHA1
ce6575b24b6946071eb25783ac64a41ec8374d90

SHA256
96b6eb6bcd57caa709b2a6a5f8d8bf5135286f5726bf3d4189eee5e926080b2a

SHA512
0b01dd544231695ee260e2c4724076f6be02d068fb07e28ad8f66704f93a8590261a0dbbaa70db96417f1c0a5865ec84f8f9d75eaf31904a480ec6ec5e498c54

Download Submit
C:\ProgramData\freebl3.dll

Filesize
20KB

MD5
8094fb31e21a862d02e075f16a71aa7d

SHA1
f6f639fc2207a8714e7d6e17a2534b5fd8ed2772

SHA256
9ba8bb3425b2572c3f0440c4736cdd378b1486ed282045c871c14b725b224c16

SHA512
02e00aeeb7edc77b21444acfaf443b51391741c22a855ddc5f6c65a901f823e72dcfa1a9ccece294a9901d1522d50b4b245016256d096348cc14918f4bfd85ce

Download Submit
C:\ProgramData\mozglue.dll

Filesize
30KB

MD5
2b826183f6bedac054c0fbfc87c87520

SHA1
29613703d6191df6170063b763301d343be07bbb

SHA256
fd8d1096794c7c9aa83afac4566af63d7048775fd7945419ca29dd9f6d2c515b

SHA512
2de16d97937dde6de2f4c595f9d1d4f64cb32f0b044a755ab359292f7eb5f2e50c296a3449d922a2e86fb09d9b102c5e96298ce9970c2c79146a1c6737f39cba

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
27KB

MD5
12f400dbc3cf4804edce09511c6fa803

SHA1
f26ac9516bfb08e437e51a15a02b4f27c3ec40c8

SHA256
069174bf855faf3e3c43aa5cc076db8d7edefe7805bc1e5881243e9664acadcf

SHA512
315c1c24204ee822d11f9c159d9559ba5b4a0c270d5a4f7cfcb785dd26dcad206fe579ff96510f025ad4c4c778d33ed1f5d1da3127a45594f865e9529dc67af4

Download Submit
C:\ProgramData\nss3.dll

Filesize
36KB

MD5
d20f8bf636ee484626ca50ddd9d85df3

SHA1
bcbadf9e9576325904252f3f0db0049f9c1b3836

SHA256
27a737b186e47afa95ce1d9fe7c2b773e9c89c1c5091649eb5cb34c2e49449b7

SHA512
6111a1b315425420b59f036764d0f1aef1dce61788616bf3726830583f966fa2fe2727c8759a3c1107e07fdc3b7cb96e8324972925a0ee52da2c59f3c31068a2

Download Submit
C:\ProgramData\softokn3.dll

Filesize
55KB

MD5
40c4363839b385f84f85dbcfc82be3e0

SHA1
8c2d354f584dbd5f45235a491457dbf3d4f0e197

SHA256
3069dd12ca0ac5f4ce13ca99b4f14154787fdc14eec9f1f999d1c8a1321ccdba

SHA512
c90a66caa0aef24014ea6d7bc0304c4b3b41477c7498968833eb7d663faf306688f16dd0be729472a02be059385314ecbba939b073111a8db4ce62e6fda0ace6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
10KB

MD5
621b251e5dee2df68583e8175dcb5ea7

SHA1
6b67a0a71b2afa478b12af46fee4bede99ce27c3

SHA256
b60657c635e1a67fa9057df4d0805324e081ae832d3532812e19ff1a2f089a24

SHA512
bfdb189f71fca57c685df7af9de0eb6516bd8668d2339effbdc08d7226e67ea7592c94c983eabf96b0fef9ab4ff492633df4e6b8594c10709bb9da8e34a72d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0B0E2398AAEC29C6B80CB11B0A298FD

Filesize
504B

MD5
0fa6525234cdeaa5f3b77aa6c6fa80f4

SHA1
8ac7f58d7bfc8075ed6f838ab6258d1971718e60

SHA256
becff27a14d620e204d5e94104940baf284090af69434f3e1220c657c5737f82

SHA512
e7a343e508e126a003fd73ac1750081d46e84859a145792ed69cecf88150515b4f1a63074e9775d7bd24b0ba72835d69ef7a87993a16f5b1f613471453a3a25e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c1588d04597ff6ef2986ff7e8c236fd9

SHA1
d433792785b9cf2ea6f4a0cf52811e3e8ba0c51e

SHA256
48655dcd73a09d4eb2c2e4fa394016d6776b819ba5a3ff1472ff7fccb1c46066

SHA512
306801673868b2a7e2bc9884f9d9a9735cd878de888536dfa26faec0a0dccc9d230ddbf2d98253c6cef2aef52384f8b4bd56b061c7148decbab33b3f649cc909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d2f6dd00d52c1913a069a110d1de2c5e

SHA1
b89afb0c288d26c8cb0a1f21d4e1cc5652a111c7

SHA256
bce14f2e734d9e77be673b8a334506896d757e63733545eb099673bcf97950e2

SHA512
5f471b60c61cbe7624b21e67d5912094781304ffd06f5f465eb4330de67f0567f382d730d2e032124ac3f2ee7223ffe2c1ef1465985bc753543467f0fdc63d67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e848c37f29bdd335608e0feb9ab8b1a

SHA1
f66991eb2a351362547f34f79369ee3e3e03197c

SHA256
787c573a27a9491a1b0274374ca70b5e2be6b5085e6a90c8c43b4793d566ec0b

SHA512
c00fb32fafdc43d54d6601501f9f45e955f339c9d77488c05008d5c29c461c673e5c5f7e21480df7e794d64f7681d5e78a59f096f7f9353b554c85e35e5b06e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10d5529df9cdaa7294cc4fcf9e9e9a2

SHA1
0ef6814c4b878a8827eb82ccdd81209743994404

SHA256
ab2cf13233743c7f36bece7195f74bcce72612b9a2f91c4a119fc49f7dfdce3d

SHA512
88392fe444d344c6ee83c4db688f710b1542ed043e15d3a3785f9003266912a2e989ed0c8ee98179dbc0e81a2f62454a477882191cf793dd5d3863316acf01e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2efb198d214803a39c7d36551c96879

SHA1
2fbf2a6bd256e3b7d67e539472ec6802a38cf8d2

SHA256
afedc2ee98b9ce26e7cf88cef230967c22ef5f1ea5a933dd586ced5d94fef676

SHA512
713394f1b85839e19584ca543a7012cf01178fc05c07adf99fd5a2018887af8a08fe334033e542ff5bdbf400f44c2faf54459e8d712f30068c0971a134588c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e672d3dc3b5088f61f2db6fad7248587

SHA1
96f99cd52314c8dc6ebb1710cc62f62b7d7853f7

SHA256
c9a076b89c8d1df3cbb310319bf901ffd12782103a784a83ebe3f04b8b72f3dd

SHA512
21c8538d534f711a9f0be5507b7f0d47d8dfc230c0b71789c8cfe8242528fbfef76985efd3fa2c57737c589c5f291881d0e9e97b63b349e0cea563cfa4e600c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0B0E2398AAEC29C6B80CB11B0A298FD

Filesize
546B

MD5
438cd83192916b25e1da638ffbc0be65

SHA1
6e659986b6761118481710f5a2c5a08aa2cd4913

SHA256
957c6bb640bfb135cfb523707f792311d67c348d1a73c0f537ab30f88b38936e

SHA512
57566c3b667a9dfab8cc332853eb7c456236a0849274cf75be1d03a9bdba139989a5711a666bc44ef6ae6f140cd10ce16c8f21c2b0dd43dc4e61de5bb42d109b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
142bc6dea23ba3c03cc6a7337f5574a8

SHA1
4d7a659277375e16010c31854bf50e6df7aa4e6b

SHA256
5ab94f072fbf3ae3ccde536e9e3c1420033f43d0d8528a04c27892f5da4b6c80

SHA512
9daf9b9c1bb14b9c248249db1f982dec142c3727e19bf73670af4720bc37c478e29420eddfb01cf0f7d117ce46df2ae5ce1dfd8f16670cdbf7f335fb06fcf92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\76561199768374681[1].htm

Filesize
33KB

MD5
da1eb51a2f1deb1ff1a9bf62fe6cbac6

SHA1
17b46acad9adec279492adda39ff3965cb9e2759

SHA256
ac493522c57c3894ff43650cc447f7006c2d4258f84e11b4651d1e00fcfc301b

SHA512
446e5b6e3b11b5a22f58831ca6725e1534c6b14154ab212318816d89d6232e23dfd5276076dd2e516880f5bcd3d7787b01a9212c2234b13b0476e143c058fa1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\76561199768374681[1].htm

Filesize
33KB

MD5
65abfa06a661c2df8570af6c3cbc0155

SHA1
ea58a7d9022c33871dfde2e6ccabf3159e268a99

SHA256
41d82bb6c690b932722748a1e091cf14c290264ffe983aee1f98c2b36630cc01

SHA512
9715627bfe67bdead4e1bf90613b430bf43a4d2c197bb4ceb6a9efb370ccd718d5afa6ba3902a6d0a4f338d81927a787434c5c82638e3d3df321874cc243a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA48.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA7A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\BAKEBAFIIE.exe

Filesize
283KB

MD5
ac7314c596e766b8f4f368579e2e0f8f

SHA1
0e4941e5e4299d04b9408194542c7362bcabcd2f

SHA256
be442a04bc031b4dc72835efeeeb025e9a103c8012382173965fba30bd3a96b9

SHA512
4258b6d15cd1c87d1787507f9132e5cf2caebfbf46dd055950dec8bb55faa094571d5b88cc58078adbab49f72fd3439f14ccae04de3d4bde672a540699a49428

Download Submit
\ProgramData\DHJKJKKKJJ.exe

Filesize
207KB

MD5
b1394501c618f78b74c3ca0c2d81a33b

SHA1
73707a6facef7e1750fb6d47f3aa840558b17a30

SHA256
32d0ae27d9ae49a224785cd08bae82b0ec4e944145cb2f106873f70fc2908fe7

SHA512
0b3aff6484ee73136fd3bf36afad78f126e520b599def3c76b2e83e150fc919d484fd18d7bce0e006abae554db50ef566a6d13ac349c32fae67ea8e8796ce121

Download Submit
\ProgramData\JEGHDAFIDG.exe

Filesize
322KB

MD5
23f66b62580e25c71d847802432019f5

SHA1
f1da07d11332465fbf5c456660d756350dbff889

SHA256
7bf0a7a8bf646c29d39ad64c36b6baae45572cee1ef7695bff3923aa3726705c

SHA512
e59e8581e8df58672ce1780f25d330793522ee450717e7ef3d96501474760ac3fc728f954ca8df0dbbd8d23fc9705d8afdc64e1476738598ce93cc5adefc2efc

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1308-865-0x0000000000B00000-0x0000000000B4A000-memory.dmp

Filesize
296KB

Download
memory/1348-523-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-519-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-529-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-525-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-531-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-521-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1348-520-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1544-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1544-1-0x0000000000D80000-0x0000000000DCA000-memory.dmp

Filesize
296KB

Download
memory/1544-15-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/1556-616-0x0000000001250000-0x0000000001288000-memory.dmp

Filesize
224KB

Download
memory/2012-533-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-772-0x00000000734E0000-0x0000000073BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-499-0x00000000010F0000-0x0000000001144000-memory.dmp

Filesize
336KB

Download
memory/2012-498-0x00000000734EE000-0x00000000734EF000-memory.dmp

Filesize
4KB

Download
memory/2552-226-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-6-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-376-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-357-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-438-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-207-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-196-0x0000000020590000-0x00000000207EF000-memory.dmp

Filesize
2.4MB

Download
memory/2552-3-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-177-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-158-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-419-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-8-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-9-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-12-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-14-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-5-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2552-17-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2656-901-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2784-627-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2784-629-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2992-551-0x0000000001170000-0x00000000011BA000-memory.dmp

Filesize
296KB

Download