stealc | f083e21b36dd20620436ee2fa9a7f8f98dd7ca182ed5e1cd19d05455a0b4ab68

Analysis

max time kernel
29s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

403KB
MD5

e0a861bd26bf65d25bb61f8ebbe81e50
SHA1

b06e237cde5ffb36b8a388c47b150b20784666fa
SHA256

f083e21b36dd20620436ee2fa9a7f8f98dd7ca182ed5e1cd19d05455a0b4ab68
SHA512

7753c4b21788a5bf1810f5f1dd7debee302f0fad9a383d4dc4f0aaa2e340988eef4676284631d9bd5338552b62714b80e33e626258e7d265248041ece75901de
SSDEEP

6144:wcKudp8ds++opu1J+TIYwuTUT8SJXdbar3LrEIssLgNLYglq/sD1ShTd1J3DAol+:ZTa9puuTSn8SPujLr31DcGDtm28EO

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a 9bf5e431869643a2ac397d2dc0d687fb default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

9bf5e431869643a2ac397d2dc0d687fb

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 26 IoCs

stealer

resource	yara_rule
behavioral2/memory/2972-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-20-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-37-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-54-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-79-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2972-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-3571-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-3569-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-3567-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-4402-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-4554-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-4730-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-4894-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-4917-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-5085-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-5886-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-6040-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-6279-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1328-6416-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	IJEBKKEGDB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_15d68292b0cb402c953a4170fc91f78b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_24cb032f248a483a814daf6752395d10.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3d5c4bd5cca449f3b861db1b37c4ff5e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f577f2a6efc4401da9e7d2a9881c08bc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dc18cbeed2004cf8badb8d24102d82ee.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1d3e4a37c324cda80d12c3dc2d04254.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8bcb0458d5cf4715a629f874de147152.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3e6350e2a4fc4a289c9787572e95b515.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_094ccd8050b1435b857c5bb44eeb120f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_946f8c14f3e842c6abb5f07435a8aef1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_345a8671fb0f46a3b3a3d9db6d1c14a2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3b62096e112f42dbb57fb1018189a2de.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_13514db4b2c84369a3e1425779e5d429.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bced3fd4548e45b68d0a27efbc35e6a2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_99a2c88be2c340d1ae1107ce5368e503.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ae4eb881fc614b35a30ff49f77a96a9b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_927db19b8b2d4b429cd602164337b23f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ce41f7020ee2408883246c2eebf4a2e9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f45c179878204ef193ddaad791d4c9a0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_102ec75f72404f49bfd2300e0f57db5d.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1150bdcaef374b92bb7965533a97640e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_82ad11f8f30045d5a34491a38b93ca91.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_42522caceef04394b712a08add0012d8.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1710bb8338754a27b907912dedecf72f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ca55cc3c09e445d49eafabfcfc48c194.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9abd0488d612481fb030efc6e7484a3f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1bd2517006024764aac3355f2e4c8e3c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_186d6c842fbc4b62b7eca6004612d8f5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a885a8ed10624345986f5971b9b40839.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b007547b3006411bac312cff80336fb1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_375571d1cb704ecbbbf54c5e5f89edaa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4013b6702fbc4aa58803c33c022e68b4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e8b68c58df6e4acc91ac5621833b6377.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b06f22e4f0f148d5bd6bb178d6dc44c5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c686bafdc9074663bbf8e5fe86329b2c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_45f7245761f54ab6bb4b77ac5a336f72.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_30b87029b21345b1927b34ed81fa0789.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f4782c5619d5480a8a8b47279c0267eb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ed18954d62824f32a21944ca159436c4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_44397b03acc64af19c7cfd7c9f26bb56.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_37f79213d9734cb2a5bafcc25070b46e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f75db35412f0422a9f61d1b89d9f5deb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_47a5f8308144487fb09864a47bb59f39.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7a9ab0ea2aaa4dec97320fed2d031b3e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f67df2f13b0149d8b6192ab646d07505.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_cb78b7253f3d458292252889f4b5e1fa.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d28d2d007ea442b4aaba4d6164ec431a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_056ef3a235f14f51b84fc99cdf559426.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d2d19c99e7ba43de9b767f632502eed1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_28f46a9e2c3a4e58aa784cc5de289401.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b5ed921b37834333b364af319556f65e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_31b4a177ec6a4ea5bc6b034c22b49117.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5c965740d41947009ec3410964b4af50.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2443fe5b767c4ae38a61735c7ff95ffe.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fbe3bbb2629d452dbcae013121984670.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2a37508bd584868a101abe345bf61bb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8f22465482834449b635179a9ffe1607.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1898d64bb2d4c81a4854cce964242a6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_50f439af06c4497bbc616706d372df38.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dbdbc34a15aa4020af615a88338a899b.lnk	IJEBKKEGDB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d4146bd205814fc7b4276c695ef6657a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_11efe1542d624f878ae33a26e39c49fe.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_532ac27aad534fd0b158c0454c162d1f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c8b8175d8c9b42c39d16ca87facafc4b.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
828	IJEBKKEGDB.exe
3452	MFDBG.exe
3040	FDWDZ.exe
3212	KFIDAFBFBK.exe
3608	FIIIIJKFCA.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	RegAsm.exe
2972	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_f8e634550ae94c92a6ba00822f397398 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	IJEBKKEGDB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	api.ipify.org
91	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 2972	5088	file.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IJEBKKEGDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFIDAFBFBK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FIIIIJKFCA.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1932	timeout.exe
4360	timeout.exe
4976	timeout.exe
1444	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	RegAsm.exe
2972	RegAsm.exe
2972	RegAsm.exe
2972	RegAsm.exe
2972	RegAsm.exe
2972	RegAsm.exe
3452	MFDBG.exe
3452	MFDBG.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe
3040	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	MFDBG.exe
Token: SeDebugPrivilege	3040	FDWDZ.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 5088 wrote to memory of 2972	5088	file.exe	83
PID 2972 wrote to memory of 828	2972	RegAsm.exe	91
PID 2972 wrote to memory of 828	2972	RegAsm.exe	91
PID 2972 wrote to memory of 828	2972	RegAsm.exe	91
PID 828 wrote to memory of 3452	828	IJEBKKEGDB.exe	93
PID 828 wrote to memory of 3452	828	IJEBKKEGDB.exe	93
PID 828 wrote to memory of 3452	828	IJEBKKEGDB.exe	93
PID 3452 wrote to memory of 3040	3452	MFDBG.exe	94
PID 3452 wrote to memory of 3040	3452	MFDBG.exe	94
PID 3452 wrote to memory of 3040	3452	MFDBG.exe	94
PID 2972 wrote to memory of 3212	2972	RegAsm.exe	95
PID 2972 wrote to memory of 3212	2972	RegAsm.exe	95
PID 2972 wrote to memory of 3212	2972	RegAsm.exe	95
PID 2972 wrote to memory of 3608	2972	RegAsm.exe	97
PID 2972 wrote to memory of 3608	2972	RegAsm.exe	97
PID 2972 wrote to memory of 3608	2972	RegAsm.exe	97

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\ProgramData\IJEBKKEGDB.exe
    "C:\ProgramData\IJEBKKEGDB.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
- - C:\ProgramData\KFIDAFBFBK.exe
    "C:\ProgramData\KFIDAFBFBK.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1416
- - C:\ProgramData\FIIIIJKFCA.exe
    "C:\ProgramData\FIIIIJKFCA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKFIDAFBFBK.exe"
        5⤵
        
        PID:4868
      - C:\Users\AdminKFIDAFBFBK.exe
        
        "C:\Users\AdminKFIDAFBFBK.exe"
        6⤵
        
        PID:3636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1328
        
        C:\ProgramData\JEGHJDGIJE.exe
        
        "C:\ProgramData\JEGHJDGIJE.exe"
        8⤵
        
        PID:3076
        
        C:\ProgramData\FCGIJDBAFC.exe
        
        "C:\ProgramData\FCGIJDBAFC.exe"
        8⤵
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:4032
        
        C:\ProgramData\KFBFCAFCBK.exe
        
        "C:\ProgramData\KFBFCAFCBK.exe"
        8⤵
        
        PID:4540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIJEBKKEGDB.exe"
        10⤵
        
        PID:3524
        
        C:\Users\AdminIJEBKKEGDB.exe
        
        "C:\Users\AdminIJEBKKEGDB.exe"
        11⤵
        
        PID:2160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:936
        
        C:\ProgramData\KJEGDBKFIJ.exe
        
        "C:\ProgramData\KJEGDBKFIJ.exe"
        13⤵
        
        PID:4920
        
        C:\ProgramData\EGCGHCBKFC.exe
        
        "C:\ProgramData\EGCGHCBKFC.exe"
        13⤵
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:1992
        
        C:\ProgramData\IIJKJDAFHJ.exe
        
        "C:\ProgramData\IIJKJDAFHJ.exe"
        13⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIIJECAEGD.exe"
        15⤵
        
        PID:1340
        
        C:\Users\AdminIIIJECAEGD.exe
        
        "C:\Users\AdminIIIJECAEGD.exe"
        16⤵
        
        PID:400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:2828
        
        C:\ProgramData\DHDBGHCBAE.exe
        
        "C:\ProgramData\DHDBGHCBAE.exe"
        18⤵
        
        PID:2520
        
        C:\ProgramData\JDGCGDBGCA.exe
        
        "C:\ProgramData\JDGCGDBGCA.exe"
        18⤵
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:4928
        
        C:\ProgramData\BAKEBFBAKK.exe
        
        "C:\ProgramData\BAKEBFBAKK.exe"
        18⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHDGHJEBFBF.exe"
        20⤵
        
        PID:5036
        
        C:\Users\AdminHDGHJEBFBF.exe
        
        "C:\Users\AdminHDGHJEBFBF.exe"
        21⤵
        
        PID:3392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJDGCGDBGCA.exe"
        20⤵
        
        PID:1340
        
        C:\Users\AdminJDGCGDBGCA.exe
        
        "C:\Users\AdminJDGCGDBGCA.exe"
        21⤵
        
        PID:3276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKKFCAAKFBA.exe"
        20⤵
        
        PID:2192
        
        C:\Users\AdminKKFCAAKFBA.exe
        
        "C:\Users\AdminKKFCAAKFBA.exe"
        21⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDHCGDGIEBKJ" & exit
        18⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        19⤵
        Delays execution with timeout.exe
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIJJJEBFHDB.exe"
        15⤵
        
        PID:1992
        
        C:\Users\AdminIJJJEBFHDB.exe
        
        "C:\Users\AdminIJJJEBFHDB.exe"
        16⤵
        
        PID:3512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGCGDGHCBGD.exe"
        15⤵
        
        PID:2952
        
        C:\Users\AdminGCGDGHCBGD.exe
        
        "C:\Users\AdminGCGDGHCBGD.exe"
        16⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFCFCAAAAFBA" & exit
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        14⤵
        Delays execution with timeout.exe
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDBGIJEHIID.exe"
        10⤵
        
        PID:4852
        
        C:\Users\AdminDBGIJEHIID.exe
        
        "C:\Users\AdminDBGIJEHIID.exe"
        11⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHDBGHCBAE.exe"
        10⤵
        
        PID:1784
        
        C:\Users\AdminDHDBGHCBAE.exe
        
        "C:\Users\AdminDHDBGHCBAE.exe"
        11⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DGCBKECAKFBG" & exit
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        9⤵
        Delays execution with timeout.exe
        
        PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHDGIJJDGCB.exe"
        5⤵
        
        PID:4340
      - C:\Users\AdminHDGIJJDGCB.exe
        
        "C:\Users\AdminHDGIJJDGCB.exe"
        6⤵
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGIDAECGDAF.exe"
        5⤵
        
        PID:3196
      - C:\Users\AdminGIDAECGDAF.exe
        
        "C:\Users\AdminGIDAECGDAF.exe"
        6⤵
        
        PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBKFIJEGCAA" & exit
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CBAKEBGIIDAFIDHIIECF

Filesize
11KB

MD5
20c0c43c1a410b9d7b0d32568aa7a63e

SHA1
35827d79a0d5953f51b61377ca5547d6e84b0ffb

SHA256
15f9e9607cb48381e2a07fab571f8a8ed71c2c13c62fb24d85770d30d6481ba2

SHA512
2dcbd14c1f2ccd9e591bc800c32fa54b40f6b5788e99de3564699977efd98ec8a9fac150967e5ed4830e9d9413805dea6ec38337260fc72993e5e94714f93b2a

Download Submit
C:\ProgramData\DGCBKECA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\DGCBKECAKFBG\AEBKFI

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\DGCBKECAKFBG\AEBKFI

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\DGCBKECAKFBG\DBGIJE

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\DGCBKECAKFBG\DGHIDH

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\DGCBKECAKFBG\DGHIDH

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\DGCBKECAKFBG\DGHIDH

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\DGCBKECAKFBG\IJEBKK

Filesize
5.0MB

MD5
c822ad3a46e58afab84d23614a08e0bc

SHA1
196f257903ccefa439dc673690c6910356bd1d81

SHA256
a8dc0fe0bcf7f1553cf0f530f88b38f033b914170d71df05f84093498d82d438

SHA512
bc5da3bac510289c47d7c835ae6dd50fe96f64e1f522ac930be451cd9e47c5d395b5ff463f9b4aee33b98785f1bd4eec6a0d321962ecbc60e2eb5a0d66c735d2

Download Submit
C:\ProgramData\DGCBKECAKFBG\IJEBKK

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\FIIIIJKFCA.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\IJEBKKEG

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\ProgramData\IJEBKKEGDB.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
C:\ProgramData\KFIDAFBFBK.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\freebl3.dll

Filesize
148KB

MD5
f2efdb84208fd0e1f3767328311a5ab0

SHA1
0f60358ef7762539a9cd411af8b2a5194b7d0ccc

SHA256
d8f777bccd9f7ead9ab536a082e62a380a25ef609a7186f6c31252f1349cbbf6

SHA512
be0200be8a1a6e3055079485e984bce1221000567381977fdabb3f75bb56c7ce614d57794bae7f8b361c46aebaf486bee78aafdf05ea607b0b1ac6c1294eed4d

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
69KB

MD5
d7e61dc91ba0361988c9fe80d566fac4

SHA1
5f37bcd8bfea3948098286f9c47822dda620b85d

SHA256
96c4347a1195215b6356ee4a3a7fd2c99adce27e7bed43a7b3fcbcb523e8d37e

SHA512
eb14ec03ded2f85713983e6ce490e5e8d53f1d19225999c13ca407092b74418b1d4c1e4aad782a48f158ddec485621cb0acee32882ea71ae876914266c09195f

Download Submit
C:\ProgramData\mozglue.dll

Filesize
79KB

MD5
f2abcadc056ee3999632d7d21e26dff9

SHA1
c32895a47c3fd7dc020f4aefcf01cc51bdc0984d

SHA256
ad7c726ad212d951b397b240852ea2b21459d7391a1efa5d77ca37182f74e172

SHA512
43985ac136a926cff3664fea90b2af8054d4d18a71829b8617bd49a44ab14102c42eada06559b41aba2b3a9fbba0590eadf411eba5391d1eadf941f54ceff62b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
173KB

MD5
6467ee29611e45653bc0855b61d420f3

SHA1
d9868d4fe9bd0ae4c0a9189658f229e4ade05bd8

SHA256
5e6967fd9bf66e0519046ec0231d21fe06fa2cb52dd582a58bf2a065f6327985

SHA512
81f26e6be8901cb353294f130749ebb58b670919f4efebdee4e4c356b54578870035267263c9fdd5d7a4c45d76f9ad26c8ea30cc0750f280d56e8aeaa8dae65d

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
81KB

MD5
11432a82294cea6b6400b17923f3680a

SHA1
5d4d4ae67fc074329ddf3ca54db112fe917e81ab

SHA256
de6d447934f7c61c44516636f982e3108f3764881a7a75dad0ad32892aa39d73

SHA512
b7f055dd94870cb2dbf72166b54eda6b32d110abbf1e90e2c0962cf1cc7edc807472e61474a3688d5674291180a3f3e9db6c0fa2d5b502cade94e48701c0af86

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
145KB

MD5
078336a5c937bb858eda225f46620a96

SHA1
5d7ffd90d0e45e199a61abdba86dad37680f89b3

SHA256
e4453916b7815a13399912bae54f3f8aa876ae41f0545d4b38826adb33beae42

SHA512
4049639306fae3c6e5aa2c080ed7b846cd4038fb3cd248c92eeb1d106c16d882f76548905db4a63e56b9091e543a4d3e84654892ec39caf8d7dafc9b90ae02a5

Download Submit
C:\ProgramData\nss3.dll

Filesize
83KB

MD5
7b94fb0cdcaff263f2cf6dd3ed5992d1

SHA1
56ca4230041a0f3a080d53dc1a7c6cd71a01accc

SHA256
ae61243c03a012300f58ccf34c3d02a80f824c848d79a6ba0522d13b2c82a143

SHA512
d623a3298247e067d0a92dc5d8f2a88caa68856aeeace98c4def9a6206bc3fa207c2d9b2467a9e978ad4a536e44e054bf6a6a5fec33cc35161a806760d51a6e7

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
148KB

MD5
d1975de33bdf08156c12ee5909a6fc3a

SHA1
2c29f9ef9492691a884f4572a5f9ab0185540522

SHA256
fc0e9db0473ff548f512e1b8e8a34b6801fe21cd366432bba46ba6fa4326e372

SHA512
219e99b48a84243a75b6ea62ccb2932dfd7d57d38ccd5f46543d11e0c98e86c6a61efdb631e1bdd1cfd274686509496be5ea61da589ad1fe2519556547ba0a49

Download Submit
C:\ProgramData\softokn3.dll

Filesize
99KB

MD5
264ed0eb2f1e0b798bcf23945ebb5faf

SHA1
6d94f4447293ca16665a0422a8e32875ce5d256f

SHA256
96904b6c07a2cb77922188e8ea6ae81a46bb75ec3c6cb78aeccab816249148db

SHA512
459e21754794d793eabb113cfbbebbd4932c1b447d6ae3f5b43ded0a89403eaa6380ff5ab56d8f50c8b26932734e3666faa5a6f3baf42ada8cb7192f299b06ff

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
58KB

MD5
5570d2daad082b434095467c7d15b018

SHA1
db7a89febd4076032c19df81ebeb05a4aeb6cad8

SHA256
d539a972358268e93cd6df87de8697e1cd4992bc82c83451eef6969bb286c925

SHA512
51ffe80eded2c6dc5079f9bece6a666d9aa9a7a01f46407bbcf5fda48ed5110ec903b0b13804242e0a3976ef919846078a5c18caea990ad85030e62e47c2b14e

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\AdminKFIDAFBFBK.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
e7034efb036efaa3c5760e5a53cb7b1c

SHA1
47772b13b9a091001ae1b656a488deee29c166bf

SHA256
370af728abfe9638fce39e65e38013a9aa38d769994b80c90f81d1dee5a16f6c

SHA512
ac794896e0f06dabf8c8130599b1c7a365af163ef84984f42dae44c3f18a9401347b21075d4ebbcb70d96eeff9707a9f747726d1b8ebe1e1317c1b0fb165d486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminKFIDAFBFBK.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\76561199780418869[1].htm

Filesize
33KB

MD5
b06ac703da7ec59a1fbaf5002d9f0079

SHA1
c6236f3235ca21dc7c63e159ced1f36e8df20952

SHA256
5096d51f3d1be76c999b670bb4568b3a09d3e2b9543109e07cf7453bf03595b0

SHA512
d6963ab060429cc311e0092b0455330dd8517da7dca77d49ca167bda629adc676a8d089beda150b51bcbf3538f70247ca5b6a2e1292fe05d5d934f8d8f2dbda9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\76561199780418869[1].htm

Filesize
33KB

MD5
8b4f1b7c4d879d69c2e012450e92cc95

SHA1
64937740875e6d2af70bd4afdabaa87cd82e1e94

SHA256
ceadad1021f80db06b700b3d427d46fc69e5b91670afff2c586d0d9dd0dd6413

SHA512
ab7a4fd4d2c5933672673128e3dd1726633d846a1fb1e22ba1e25606ec7e29d06dbf1e1985bd2ae584594a430819a800123be6d381ee6c309b3b4debf969dc6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3ebc10ee11144723b9bfd120736e7b1d.lnk

Filesize
1KB

MD5
6f3f9bf8c43a9d769f89e633510303e0

SHA1
ed36f0b741e2f3b3dfbdbf27ed81f5586bcac91b

SHA256
200d012425198c1e98f3c9e398fe95af4a7f163bbc9f854f391ae59dab43aa7b

SHA512
30956bc34517d2ec3dadae5855917ea020135a8806c84bda502bd5fe19e6b5ce6509303aa3e9e84755fd28e7f754ce1968fba18752fccc7ac0efce69e5288186

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_565765b8d89c4a0a8473af5343a7325e.lnk

Filesize
1KB

MD5
22408e7e64c27c12e23978dcf2278d99

SHA1
aab263d1a8e7a642bb1167e2be37570b80e16370

SHA256
8af552186e3f0df841dc3f08af0699c17c5c3ce2e76c97abb9c0105e18540c12

SHA512
a0cc3fe2b2cbf6b5cf99f82abec66c9ba88555349d0c2d539bf408c5ffa0e4fa407d7cf260ac10daedfd6db59481d0c4a0bf0761562a61bf759e1a77fc8bb2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7fd19bc290134f76ba72b5c92dc5f0f9.lnk

Filesize
1KB

MD5
ca134293dc1fea256378eb0c02defdef

SHA1
40b31928a2b96804cbc04b629577e9245fa1fe7f

SHA256
07bd0f82bbab0dad3a77cfd429d9bdf945704b137d4296402b5b2a58245faa09

SHA512
9258b1f45b0b38a94049fe80806cd950a31c9281c7981c05c11a3927188f9f6f8bbf97da3ecee2b74ba90bcdf255c01f272638b364989f60cb1c3ef1ddf1723e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_87398882f2f54006a951a627aca8b6d6.lnk

Filesize
1KB

MD5
591d2a9de084ccff37418cf90cd78fc9

SHA1
f12703af9b1bbb95b68b7d88ed46a4c8f22f807c

SHA256
844949c1361ef5a68e66e6fc019cfaa1501165f9f9eab4ef0b368832e2ce783d

SHA512
c3933ffcf92c13b63c3635caf7965163fbd39e5778e1193e95371551f2baf5c320a866ea571671465155187bd992def91d8d2675a81621601220d700ef566d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_98d963949444465989edc15752d80055.lnk

Filesize
1KB

MD5
fa518191e21c3ab6589d580de2c70cf0

SHA1
78038ce7ea13362b33cf37abf1969e54cfe1a29f

SHA256
24fc78d4b96d58f793e5a21498d5a691c1e74d407c33609ff7f526c7a5ca8898

SHA512
899b63ccf493f186f36f4a0dadc8b5a30520c0f59418364541742fa211f8a058f8d0ca8fb396f039302f78091f28800c28f5e6de02fd81f518b49e04c5ed682a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_9a06cfd38ba54a0e89527d28ab0d5bc3.lnk

Filesize
1KB

MD5
f8502a66ef2ed93ab7c246808bbf5a4d

SHA1
8cd038a979b5b69980b8d961403b9113d904c88e

SHA256
243d4e0a5b66c916570904b3619ef56920af65f185f669f242214cb597d66b10

SHA512
255f98e621ad0df9fd154d8eb9bfe95a272c02222e2ecd3b2139b376dc52860a37cd54cc8ce15c5754ce3cfe09de93ce2d5ccab18809738a2f6c1142db1ff343

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_dbdbc34a15aa4020af615a88338a899b.lnk

Filesize
1KB

MD5
048e725a408e5a44740b1592f72d5f92

SHA1
084a492d620a007d0d4bcd408149cc266f607365

SHA256
912f2a426bcc76ac909c8309b4636191fa315b97bbded8b99f541563e209f802

SHA512
ea2d8b0f3300c0e245ef2681dcc6ce7e2f0a05cf94c0af91628d1b449a52a79993ed7280821790899ded0831dd58fa1456e4e7f007912cb7e61f47d756c82b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_fd1206788c784a07a5716833c5228931.lnk

Filesize
1KB

MD5
afd6c4c1dea5d40f62d47a6283320dd0

SHA1
d230a790923738fe035a75de9b2623d3b170db23

SHA256
3a94420b23e9e7ae72ac0f8bd6abd084d54866325058462af2fb78a028cb2e12

SHA512
c2c186b568633a7956aec6544979b6ec2cfa7b1e979814d8e6a71e5fcc188395d1d1e1d697d8a63e00b08ce286549756c24448e9a1f0ad0bf589d22d0f3e0f2e

Download Submit
memory/828-119-0x0000000071F90000-0x0000000072740000-memory.dmp

Filesize
7.7MB

Download
memory/828-100-0x0000000071F9E000-0x0000000071F9F000-memory.dmp

Filesize
4KB

Download
memory/828-101-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/828-104-0x0000000071F90000-0x0000000072740000-memory.dmp

Filesize
7.7MB

Download
memory/1328-3571-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-5886-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4894-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-5085-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4730-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-3569-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-3567-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4917-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4715-0x0000000022900000-0x0000000022B5F000-memory.dmp

Filesize
2.4MB

Download
memory/1328-6040-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-6279-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4402-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-4554-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1328-6416-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1416-761-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1416-762-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1416-757-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2612-3694-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2932-1114-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2932-1116-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2932-1711-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2972-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-54-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-21-0x0000000020200000-0x000000002045F000-memory.dmp

Filesize
2.4MB

Download
memory/2972-20-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-79-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-37-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2972-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3212-159-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3608-500-0x0000000000E90000-0x0000000000EE6000-memory.dmp

Filesize
344KB

Download
memory/3636-3042-0x0000000000040000-0x00000000000A8000-memory.dmp

Filesize
416KB

Download
memory/5088-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/5088-5-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-18-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-1-0x0000000000B70000-0x0000000000BD8000-memory.dmp

Filesize
416KB

Download