vidar | fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56

Analysis

max time kernel
21s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe
Size

282KB
MD5

3a507b0b6463481cbb8d248efa262ddd
SHA1

97cc6f79eb1352660997a2194d7d3c9e1aff7a0e
SHA256

fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56
SHA512

4e0abe7ecd536b25146a663ebc49afd955727d32e2e01a6b7305afec79decbc649e95e841d18e226e346eb4d1e91228c215888c1ffb5363d888f6a1a6fed57a8
SSDEEP

6144:4ELt9KOtbS8O8F+pQ1UUPeZEUA85wR1ffmFSA7aFkHJuNEO:37tbStpixPRUkWB7a0wNEO

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

Detect Vidar Stealer 24 IoCs

stealer

resource	yara_rule
behavioral1/memory/2844-12-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-10-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-16-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-13-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-25-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-22-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-20-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2280-17-0x0000000002290000-0x0000000004290000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-164-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-183-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-213-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-232-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-331-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-365-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-384-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-427-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-446-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-585-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-587-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-584-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-581-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-579-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2284-577-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral1/memory/2844-859-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
848	ECAEGHIJEH.exe
1952	GHDBKJKJKK.exe
2800	EGCFIDAFBF.exe

Loads dropped DLL 14 IoCs

pid	Process
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 848 set thread context of 1356	848	ECAEGHIJEH.exe	37
PID 1952 set thread context of 2284	1952	GHDBKJKJKK.exe	40
PID 2800 set thread context of 2992	2800	EGCFIDAFBF.exe	43

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ECAEGHIJEH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHDBKJKJKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGCFIDAFBF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2896	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe
2844	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2280 wrote to memory of 2844	2280	fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe	32
PID 2844 wrote to memory of 848	2844	RegAsm.exe	35
PID 2844 wrote to memory of 848	2844	RegAsm.exe	35
PID 2844 wrote to memory of 848	2844	RegAsm.exe	35
PID 2844 wrote to memory of 848	2844	RegAsm.exe	35
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 848 wrote to memory of 1356	848	ECAEGHIJEH.exe	37
PID 2844 wrote to memory of 1952	2844	RegAsm.exe	38
PID 2844 wrote to memory of 1952	2844	RegAsm.exe	38
PID 2844 wrote to memory of 1952	2844	RegAsm.exe	38
PID 2844 wrote to memory of 1952	2844	RegAsm.exe	38
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 1952 wrote to memory of 2284	1952	GHDBKJKJKK.exe	40
PID 2844 wrote to memory of 2800	2844	RegAsm.exe	41
PID 2844 wrote to memory of 2800	2844	RegAsm.exe	41
PID 2844 wrote to memory of 2800	2844	RegAsm.exe	41
PID 2844 wrote to memory of 2800	2844	RegAsm.exe	41
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43
PID 2800 wrote to memory of 2992	2800	EGCFIDAFBF.exe	43

C:\Users\Admin\AppData\Local\Temp\fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe
"C:\Users\Admin\AppData\Local\Temp\fdf090545751ce09207f7cec140d21d246cb2f25002683e2cd36c92e18707f56.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\ProgramData\ECAEGHIJEH.exe
    "C:\ProgramData\ECAEGHIJEH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1356
- - C:\ProgramData\GHDBKJKJKK.exe
    "C:\ProgramData\GHDBKJKJKK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
- - C:\ProgramData\EGCFIDAFBF.exe
    "C:\ProgramData\EGCFIDAFBF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FBAFIIJKJE.exe"
        5⤵
        
        PID:1760
      - C:\ProgramData\FBAFIIJKJE.exe
        
        "C:\ProgramData\FBAFIIJKJE.exe"
        6⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CFCGIIEHIE.exe"
        5⤵
        
        PID:2368
      - C:\ProgramData\CFCGIIEHIE.exe
        
        "C:\ProgramData\CFCGIIEHIE.exe"
        6⤵
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\AAEHDAAKEH.exe"
        5⤵
        
        PID:2812
      - C:\ProgramData\AAEHDAAKEH.exe
        
        "C:\ProgramData\AAEHDAAKEH.exe"
        6⤵
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2724
- - C:\ProgramData\FHJDGHIJDG.exe
    "C:\ProgramData\FHJDGHIJDG.exe"
    3⤵
    PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKECBFBAEBKJ" & exit
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGHCGCAEBFIJ\BGHIIJ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\BGHCGCAEBFIJ\FIJKEH

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\CAEHDBAA

Filesize
92KB

MD5
ae2cd96016ba8a9d0c675d9d9badbee7

SHA1
fd9df8750aacb0e75b2463c285c09f3bbd518a69

SHA256
dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04

SHA512
7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

Download Submit
C:\ProgramData\FIJJKECFCFBGDHIECAAF

Filesize
6KB

MD5
64e308073d00f515b9e289d1d77ad28f

SHA1
ae6fbd1c044d11a6896f6b363181bd65db1492fc

SHA256
d8bb3e15b7a84e8fe0899abb09a9a067b04b25d9c47c5c77580febecdafbf18d

SHA512
8fc542776975bda8993b8dd5941ac08508d6cab7e848517f5fa5793aea4c0ba0e006eeb38bd800b4eb43f1f1960773d23776ec29d209643ebdbf44d18cd67ce8

Download Submit
C:\ProgramData\GHDBKJKJKK.exe

Filesize
283KB

MD5
ac7314c596e766b8f4f368579e2e0f8f

SHA1
0e4941e5e4299d04b9408194542c7362bcabcd2f

SHA256
be442a04bc031b4dc72835efeeeb025e9a103c8012382173965fba30bd3a96b9

SHA512
4258b6d15cd1c87d1787507f9132e5cf2caebfbf46dd055950dec8bb55faa094571d5b88cc58078adbab49f72fd3439f14ccae04de3d4bde672a540699a49428

Download Submit
C:\ProgramData\GHIDGDHCGCBA\KKFBFC

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\freebl3.dll

Filesize
433KB

MD5
2e0c5dfe2ca5466b99017d0a4a5551e8

SHA1
a9ca3a63012af6ed00912a593c932ca95533add9

SHA256
b02949984b0785e94a69e8a609bd6f890982998da5680fc908e0e4886d3b35be

SHA512
4324966b5ffd76f37c2cff91f32446608c04cadc78749530fb4ae81220b1abe37a838847050f6b8524c98158564f89a0d7f98c2edf7c8d4f622e24f5d60aa143

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c1588d04597ff6ef2986ff7e8c236fd9

SHA1
d433792785b9cf2ea6f4a0cf52811e3e8ba0c51e

SHA256
48655dcd73a09d4eb2c2e4fa394016d6776b819ba5a3ff1472ff7fccb1c46066

SHA512
306801673868b2a7e2bc9884f9d9a9735cd878de888536dfa26faec0a0dccc9d230ddbf2d98253c6cef2aef52384f8b4bd56b061c7148decbab33b3f649cc909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
303e8b11e3792fd5edeb69751c46b310

SHA1
8c9a67e209d39bf13efb219f1398494f73c8828d

SHA256
4f12713d7c3c83a9a66d3e8259dc625d820bf903bb830b718d38700fab25fde7

SHA512
0764b64a1a456dec0f743ba6093ee6d21e73b76298f6f7be9104820d05c86efe56188592a4e010811f26ee4107195c08f6b2c3fd6a022fd66353c4c1d4879b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37b8a2d00e2cad3070b73adf64e22d00

SHA1
2372deb5e6aab11ed827e6c39a190715bff18054

SHA256
a9d1cc5ffd5211a847793f64b485ff4829ada67468ed2acce3f49858ba59ec29

SHA512
d486f504141a8e0c94f439af00b549f0f57a2dd29d4fc75d46bf5ac5d85528264e47fdbcfc951964a16b670e751e0df0b4aa3b288ff8f4010cf271ad2b754633

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
5e55ab2d2840c6e2ed307d812c06f371

SHA1
54d40f4a044c1b0b5f81aee22546f0db487b51c1

SHA256
2ad562f5ea76bee5ea2257cdcb13fa66e595435d91c16cfc11d336ef9caf07e2

SHA512
178f61ffadce77667afc597437070515c0eb21fcceb61992abed52f54873e9f18d2c3aa480191354a2b75ab1275e684514f44e0705d7b251894b130709ffa0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\76561199768374681[1].htm

Filesize
33KB

MD5
3530b149a17562d5874d3325626c824b

SHA1
54e1ff74dbc2bf177a1f0ed5b2c7149750d7c9f6

SHA256
5fadc346131d83bca72712f34b58220740dcddf4669d23d9862914bef272c345

SHA512
a60a6676bc017933376b29487589432b6099bf70c5219996000a1157415ad990df72abf4283f571da39d5fefee09dcc414531a2837a4e211b184ab5ecca906dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\76561199768374681[1].htm

Filesize
33KB

MD5
95d56d91bcd41bb38a1b5fd8a9a8e341

SHA1
629412ca361369b5ec3feb537fc9349673419f6a

SHA256
5f3f38744d509d3bffbfb4dcb25e71e969aed93aada3cec88c1a9b3b2516aad2

SHA512
542cb9dc717e909b2f73be097b346cd65f87334a902696825971ee8147762abb21aa2e683fa0a62aeb3fb333af369e8b44c03b9329dc34fb674ee49ac081d0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF568.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF57B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\ECAEGHIJEH.exe

Filesize
322KB

MD5
23f66b62580e25c71d847802432019f5

SHA1
f1da07d11332465fbf5c456660d756350dbff889

SHA256
7bf0a7a8bf646c29d39ad64c36b6baae45572cee1ef7695bff3923aa3726705c

SHA512
e59e8581e8df58672ce1780f25d330793522ee450717e7ef3d96501474760ac3fc728f954ca8df0dbbd8d23fc9705d8afdc64e1476738598ce93cc5adefc2efc

Download Submit
\ProgramData\EGCFIDAFBF.exe

Filesize
207KB

MD5
b1394501c618f78b74c3ca0c2d81a33b

SHA1
73707a6facef7e1750fb6d47f3aa840558b17a30

SHA256
32d0ae27d9ae49a224785cd08bae82b0ec4e944145cb2f106873f70fc2908fe7

SHA512
0b3aff6484ee73136fd3bf36afad78f126e520b599def3c76b2e83e150fc919d484fd18d7bce0e006abae554db50ef566a6d13ac349c32fae67ea8e8796ce121

Download Submit
\ProgramData\FHJDGHIJDG.exe

Filesize
151KB

MD5
f8e29ae97c170715f92f5fb99abd26ee

SHA1
910297b5519d1f4bab9c270226b653b07c221083

SHA256
70a033ba057a632b01d20a074944a1c728aea8c5e65b9b7f1803583dc684cd5f

SHA512
2b529197f184d695193fc449eab1209afcf9e99b94606511b37f892a241023eb59062e197a49662f26a0573103f470bdeeddc890202a2890b0f564d9853122e4

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/848-838-0x0000000073440000-0x0000000073B2E000-memory.dmp

Filesize
6.9MB

Download
memory/848-532-0x0000000073440000-0x0000000073B2E000-memory.dmp

Filesize
6.9MB

Download
memory/848-509-0x0000000000050000-0x00000000000A4000-memory.dmp

Filesize
336KB

Download
memory/848-500-0x000000007344E000-0x000000007344F000-memory.dmp

Filesize
4KB

Download
memory/1356-525-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-528-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-521-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-523-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-524-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-522-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-530-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1356-533-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1620-840-0x0000000000E90000-0x0000000000EBA000-memory.dmp

Filesize
168KB

Download
memory/1952-551-0x00000000008E0000-0x000000000092A000-memory.dmp

Filesize
296KB

Download
memory/2280-17-0x0000000002290000-0x0000000004290000-memory.dmp

Filesize
32.0MB

Download
memory/2280-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

Filesize
4KB

Download
memory/2280-294-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-18-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-1-0x0000000000E40000-0x0000000000E8A000-memory.dmp

Filesize
296KB

Download
memory/2284-575-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-585-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-573-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-587-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-584-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-581-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-579-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2284-577-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2376-792-0x0000000001130000-0x000000000117A000-memory.dmp

Filesize
296KB

Download
memory/2660-816-0x0000000000EC0000-0x0000000000F14000-memory.dmp

Filesize
336KB

Download
memory/2800-615-0x00000000003E0000-0x0000000000418000-memory.dmp

Filesize
224KB

Download
memory/2844-331-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-183-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-427-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-203-0x00000000203B0000-0x000000002060F000-memory.dmp

Filesize
2.4MB

Download
memory/2844-8-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-164-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-446-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-365-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-20-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-22-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-25-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-213-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-12-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-10-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-232-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-859-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-13-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-16-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-384-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-6-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2844-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2968-709-0x0000000001020000-0x000000000104A000-memory.dmp

Filesize
168KB

Download
memory/2992-619-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2992-617-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download