stealc | 6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd

Analysis

max time kernel
18s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
Size

403KB
MD5

5456c9b238c54e52277972cdadf6764d
SHA1

512977a16b78c08e9aeb028e06a5995fc36c0d40
SHA256

6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd
SHA512

bf6cfbbc35edcfec8d8dd2c7be5c587b2b43ada1bb1a43620711cc713b122e41b978cfb1b5b0f8dfe107bea00d34de02c7a112926302652f3810a779a818944b
SSDEEP

12288:WAdGQU/9evJZ/vzqp68V09Ij7THMweRdj0EO:DdxJvJNvl+jPR2d4t

Score

10^/10

stealc vidar 3a15237aa92dcd8ccca447211fb5fc2a default credential_access discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/2356-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-35-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-36-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-52-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-53-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-77-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3400-85-0x0000000074DF0000-0x00000000755A0000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2356-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2764-2636-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2764-3375-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2764-3466-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2764-3572-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/2764-3637-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DHCAECGIEB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MFDBG.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5bf58b3b7b584988b61a7db645697624.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c5318e0ecbaa42a0ba75b66c24b0fbab.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0e6bf01524734c97acdb664b99f8244c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a98585d29f154e2fb628bf9443960033.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6cc83db8fd4a433ebc5e07be84101ae1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_b9339cfd8e164b1a8f71aa42f038c735.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb4e782d50b3495d967d90de67cc3eec.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1a419111a7274199ad0950bd420070a5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33a1228906c24327adf906d6c490fea2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_10243d8640734e02b781f78af516eb41.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1a58eef5be644438a3f5694fbf716fd9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d65d85fe94e24c88afec4a92584cf58e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_02836ea490a249e0befbc612ca28d921.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7ad2b6a73dc94374a999b22edb90039a.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8132bcaccf88454b84a2d57acba53b56.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_16371e317280435ba446b67de8d81c88.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_4002fb6ebd07424799b5b965d83ca776.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c7cbb13879304a15a744be1d9e21be3f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6aa0bffc291946709aec8e098f61ec82.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_0370e955571e428f8092c754065177a6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_40861f6f69dd4686a5b9bc27dee94a58.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_e27d2a70718c4327a36eca58e59ab89e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c2627a6d8b164c55bb6dfc87a59b9cc2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_bb9eff2e2e5b435ebc702bf0b020bad4.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1b3a6f8f5dd249cb967b791274d8c6b1.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d940ef47ae3c49578eb17db70edc6fe2.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_f63ade19d28a4c698e5a3f1c2416aebd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ef60d113f3b146fab484adaa8f04668e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_174019f201494fa4b50d18576e47fed6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_96dfaf9a4e0146c788a4abeef0336758.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6dc90961b59140c6b8fa153e2d3fc0cb.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_a73f2cbe914a46b4a402819523867e91.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_7df55b374e144fb3a1631a2bad00e19f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_106a58bdbda44b39b71f4c465a8d0ded.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_051a37b0017c4430aba13f1c0c285325.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_49e4b943363c401d906f73a00bd4f91f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_1441fa22075f4cb38d1d12ebe06d8151.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2c8a9b34aebf4334b357fede07b93462.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6c7244150fc34da8aa9f5da7e3d0d1c0.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_00595705b8c64837a6ec1c8c82ed37cd.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_374d6b2a61904e388dcb459a70a9b7ba.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_d1d50805b6d1461e8e394e8d1067c229.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8818ad56f87c4bf09641a86d6a4a7d78.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_db821b5e03704cb58f3fd953adaed4b9.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_ea002f304de14124913148583d752597.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_086e721d2bbd4a8896c2601a8babdf21.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_484f5fc48cd94262af1fe31485851e7e.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_5a69d8c39f8e4fc99b1fd26533b988f5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_81008921941d40ff9ec940497a3131bc.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_73b3dd4375734f08b351664e08a43df6.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_8f1f43d8d79c48bb9b9907b070c2dd03.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c1f19815e17f486bba819b1cd87a7589.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_6e3625d00f4e496695758dbb3ff3f81b.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2e93dd1eb2ae4967bf1a5b31cb0e0551.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_99d6e1de00ca4c9789774b958fb8e067.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_afcf8249d229412280dca8516e76535f.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2fe94b314db845c4914d06d6064c91d5.lnk	DHCAECGIEB.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_93670f58f5c242baa70cdb5062993aab.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_22455654871449fb80238477676e37c5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_c11150c02e9d4896ac91fe3b9f9ece3c.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_3daef226341c4ca88491b90c44c70137.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_08e7e83f3e9848ef9a236e72ed861cf3.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_259606046a434792864ef1ffc2f343c5.lnk	MFDBG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_129daa0cee1b483097eaa27eed46f3ef.lnk	MFDBG.exe

Executes dropped EXE 5 IoCs

pid	Process
4240	DHCAECGIEB.exe
2380	MFDBG.exe
3292	BKKFCFBKFC.exe
4228	FDWDZ.exe
1488	IDAEHCFHJJ.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	RegAsm.exe
2356	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFDBG_5f74d011ec7a4e968823621369c819d4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malewmf\\MFDBG.exe"	DHCAECGIEB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3400 set thread context of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHCAECGIEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFDBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDWDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKKFCFBKFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDAEHCFHJJ.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5088	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	RegAsm.exe
2356	RegAsm.exe
2356	RegAsm.exe
2356	RegAsm.exe
2356	RegAsm.exe
2356	RegAsm.exe
2380	MFDBG.exe
2380	MFDBG.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe
4228	FDWDZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	MFDBG.exe
Token: SeDebugPrivilege	4228	FDWDZ.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 3400 wrote to memory of 2356	3400	6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe	83
PID 2356 wrote to memory of 4240	2356	RegAsm.exe	91
PID 2356 wrote to memory of 4240	2356	RegAsm.exe	91
PID 2356 wrote to memory of 4240	2356	RegAsm.exe	91
PID 4240 wrote to memory of 2380	4240	DHCAECGIEB.exe	93
PID 4240 wrote to memory of 2380	4240	DHCAECGIEB.exe	93
PID 4240 wrote to memory of 2380	4240	DHCAECGIEB.exe	93
PID 2356 wrote to memory of 3292	2356	RegAsm.exe	94
PID 2356 wrote to memory of 3292	2356	RegAsm.exe	94
PID 2356 wrote to memory of 3292	2356	RegAsm.exe	94
PID 2380 wrote to memory of 4228	2380	MFDBG.exe	95
PID 2380 wrote to memory of 4228	2380	MFDBG.exe	95
PID 2380 wrote to memory of 4228	2380	MFDBG.exe	95
PID 2356 wrote to memory of 1488	2356	RegAsm.exe	97
PID 2356 wrote to memory of 1488	2356	RegAsm.exe	97
PID 2356 wrote to memory of 1488	2356	RegAsm.exe	97

C:\Users\Admin\AppData\Local\Temp\6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe
"C:\Users\Admin\AppData\Local\Temp\6e25c012659d74422317726da92134c5e9a70a937a1ceb585b83aeb99eee36fd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\ProgramData\DHCAECGIEB.exe
    "C:\ProgramData\DHCAECGIEB.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe
      "C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
- - C:\ProgramData\BKKFCFBKFC.exe
    "C:\ProgramData\BKKFCFBKFC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2396
- - C:\ProgramData\IDAEHCFHJJ.exe
    "C:\ProgramData\IDAEHCFHJJ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKJKKJKEHDB.exe"
        5⤵
        
        PID:3908
      - C:\Users\AdminKJKKJKEHDB.exe
        
        "C:\Users\AdminKJKKJKEHDB.exe"
        6⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIEHCBAFIDA.exe"
        5⤵
        
        PID:1728
      - C:\Users\AdminIEHCBAFIDA.exe
        
        "C:\Users\AdminIEHCBAFIDA.exe"
        6⤵
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGIEHJDHCBA.exe"
        5⤵
        
        PID:752
      - C:\Users\AdminGIEHJDHCBA.exe
        
        "C:\Users\AdminGIEHJDHCBA.exe"
        6⤵
        
        PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IDAEHCFHJJJJ" & exit
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AFHDAKJK

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\BKKFCFBKFC.exe

Filesize
368KB

MD5
28f06ee2c727adcae5a328aaf02d95fe

SHA1
3c73c34aafb67d828341906877894670d2f113fc

SHA256
df52ba7d8ae16928e82e3554558d25b7582d3e67025a7dfbb71f6231ba9a7899

SHA512
d292b0b49f280ad1a955c1eeb720ef6bbb23339928e4f33326997a1a69f85ddf91fcf6f1e0ccec8f1b969a1c91d29c41b0dbacb249c40b3a83d50c9b9c37a806

Download Submit
C:\ProgramData\CAFIJKFH

Filesize
114KB

MD5
c3311360e96fcf6ea559c40a78ede854

SHA1
562ada1868020814b25b5dbbdbcb5a9feb9eb6ba

SHA256
9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b

SHA512
fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65

Download Submit
C:\ProgramData\DGCAAFBFBKFIDGDHJDBK

Filesize
11KB

MD5
b4560ae8656dff8cfa1a9f696630fced

SHA1
8b658750d361c4a059cb2adaab144093d38566f0

SHA256
4c3ab6ae368aa3e61b058bb106e9b9b2e2d14ab541ee529bff98afe31aa42bea

SHA512
597ad1c80fccf703663d27326354b75ee3970a1e5b7a798538dd8c14a2ba2db894d09ddd6d26a48bd7d4d0ac41235fbb489ef4b746299fd35a707573156c5717

Download Submit
C:\ProgramData\DHCAECGIEB.exe

Filesize
26KB

MD5
0677d5eb007dc9b0de2c5ddf8c3886d8

SHA1
d455b38856bb2a143e5edc2ade8db811e4e9a71b

SHA256
f33f40367e6a3878f2c8df07683413c77126150d076684fdbc295e9a7a0e5164

SHA512
983d9081093f838e6b1b2a5a70e4726caa8fe4a54e83c0bc66985751a88ca9122e5c14688d18c0b9b738195a22ac40900de39c4f49267dca72e22cc9aaa7bf88

Download Submit
C:\ProgramData\IDAEHCFHJJ.exe

Filesize
326KB

MD5
4ecc9d9d93e5ff84765dacbb1e54a4c9

SHA1
f2f796276b0aa4adcc02f6b9d11aabf1d97f9a06

SHA256
eba091f4887e9bc9e0308d4e7830b2ae7b50eddb7c53425bd78db0f959ed6524

SHA512
dc093ad97b34a5afad3c324c24425c950f48d5601444c044a718a0e47355a8f125d54a07fd8969ab85a00cce2d3c148a7dc2dcb4628647ed2c8e1ba50955b8cd

Download Submit
C:\ProgramData\JDHJKKFBAEGD\AFHDAK

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\JDHJKKFBAEGD\AFHDAK

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\JDHJKKFBAEGD\JKKFII

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\freebl3.dll

Filesize
44KB

MD5
07b0e7cf7a6d2210418bb45996a23bad

SHA1
b84099f7144f6d46412d0b27023152f2c56323c7

SHA256
5a34f34cc02268c335fb9d6499c16d517fd415ea4c45883e826978b6dd7d2f53

SHA512
54e09d8afec8cfef8d164a81dca779dfa396748345ad1cf715f3413a87bcf05f92e2c98077814621b0e168ffcdba9fc48c41d72bd3412d3a5019cb9af9fa3d59

Download Submit
C:\ProgramData\mozglue.dll

Filesize
96KB

MD5
75fd06b259094b45aa25e11ae4ab34cb

SHA1
d4eba60454ac64fd0a7c316d26a9117198ebfb7e

SHA256
90712bbbe8f2fd7b7830f1fab89d8ab9c5df45c487d6296ee41e596190bd68b9

SHA512
c61b9f292a0ea76541fde29225aac2513c741a4dfe16a9240b857476766b4d84a8e0c033cdae78811073eb1473e87f04f6b9a6428b11e815ad186919e614d4e9

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
54KB

MD5
90455627b3e3ccbc228c763b99b2e2c3

SHA1
8541d252a359bc32b169afab4e7c1a6cb1269974

SHA256
2369611d5f9ae8d3eec1b9494c9b0eef06fcb12f5c3cdd0df9f3b24a94fe2524

SHA512
1132748d59ba086121a59c7035e9f14dc85b3b23d61ebdebcbc296e33ddb4ed38fabc89f6c7a2049d95c5ddaee70d46b254731ea8f21c0250baca7a546054585

Download Submit
C:\ProgramData\nss3.dll

Filesize
206KB

MD5
52ae72466f6f1daeaa8450041861c6fa

SHA1
5994932fb3ceea43da11c33f74ec5dbb9fb3a393

SHA256
ea7a3dc6c0932c3ff63705ca25a71efeee465493eb1c2614fff99bcda8d48a35

SHA512
b04448e7a0a491f17771d1ba760b47a45d5de85eea900b41cf158be5a305d34cbf748d503de29618270713a385f9451af7d7a8d46712e26241a038b0f708daff

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
162KB

MD5
804364d88e3b3721224629deb200e8e3

SHA1
6f79ec8e490b20bc259e9f9af304df5fc9a27df9

SHA256
8c1f2f7e2fca347a88b643e2af66071f80058c248d7ad5c48e52a30ba5512dcc

SHA512
9e2fc1f4decffc97387cb9062a423228f95405ced4d9adf2d9ca4903ece17b51dcbe36db6be0bac8bd80ec6c16bf71c47b4beb825d0ee12a609663138d9848d2

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
46KB

MD5
117d33ff0d7cbc81a6de514d37d86320

SHA1
c74f87f39e8c857e7346a1aff05dd776a3985634

SHA256
6409fba002f3722b4c5ddbdfbb55a2f38bdfefdb72d8f484062076c3ff353092

SHA512
ca6cd9c3a778d381e8226d1943d41e92d563bcd97b93b5bced2be4e2fca6f4fba53776957a6dc3cb4adc621c4f07c4d96af559f051f6bfcdb58c78c4099b2046

Download Submit
C:\Users\AdminKJKKJKEHDB.exe

Filesize
403KB

MD5
80729909b073a23f2caf883d9b9dce98

SHA1
cf621df3f09b1103e247e1292e6c9d4894e90d92

SHA256
b832829177dcfb2f224062fdf796ffdce054c66ac391d4a2efdec7e06aeb69ee

SHA512
e197b71e9b91aa83f6ff0ca454a8ea72c66043449901595613d4d6ad8ac0e007e7ed10c6b1a428692eb6d2a29fd114b0afcfe7a678b6fb11b475ea6fb5ce0b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
2b36821f56b5af8c6696d071788bdcbf

SHA1
19bc0e2633ad82f28beb4e7e72cf3b208f3ba435

SHA256
6bd2e70bec06d9aaf7d4a4e43e05ec5cd6d86ba1ee462a4a43881c5fc7e1ab02

SHA512
eebf46211ad75641582459ae8fbbefc29a6d402fc03576738dd8d9f17c9675a2befdcfa1d84120202e39a47bcf721e341cdd8628c5b269ee489f6ac038268f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
5be296985375bf53d23d1a3ee817297d

SHA1
1c29c73a9c12c72e4c9375ef913daf44bbeaf2d4

SHA256
2cb98135de0d64bcd52881f76a0059c2d3816e3602e0ce5da8fd75217a3a259b

SHA512
1c3f92b9507e21dcfc216614ce3a139041307990c75dbb51ae7059af292ff3d09e0b760966598df06fab117fbb3c7e26c779c9e52692b77ccc6c1ec97b350732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminKJKKJKEHDB.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\76561199780418869[1].htm

Filesize
33KB

MD5
97586891afc63215e16b1356b864e445

SHA1
9f9bc6768dc02e9ccc3db200ebe1f859e02f87a1

SHA256
3ac330bca0129a110c4d2d17b6168dcc72bc4ac98674e23470d06ed88587189b

SHA512
8b589609f7ed9fe7e11580d65b1a072c9a70f46cd44fb5efd2862e58e889ba743b9f446fcbf44d7644614738dd26bf1b77e4dab6e1c29f0f026020368b4b4111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_2fe94b314db845c4914d06d6064c91d5.lnk

Filesize
1KB

MD5
cbdbd04415eb26ea280cc7c6a67d50bf

SHA1
915a9c9f5a4d7326195c195dd9fd0b92fa2cb9ec

SHA256
597013f264a73a46438787eb7ac7063cad6c071ed7e2859500232c035f791ee4

SHA512
caf5ca9f56faf844ea3bfd9f13be478e7df562ee3489706cbd6bd468a83eeda337016f0d3d5f932879231c36312d2376ccf46b3db77bee313177c61e5dc3bb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFDBG_33048255c1c74e429afd354d07f188c2.lnk

Filesize
1KB

MD5
57854dbf349cc72d74296ba7ddde636f

SHA1
a6820fae361e64cf95feae29a9a1e19fabdef36f

SHA256
23e712b94ea7d4fd12e1d0e24b1888b2355984668fcb4fe0b4b970785e09b78e

SHA512
8e1591c89389508fe3c5b6d4de896aaa8ee7b856dbfaccbb24cca435701324e9e4ba3d195c0bfc28ab3aacf0ef1f1aca72dbacbb4342dc6d31591da87543add4

Download Submit
memory/1488-459-0x0000000000970000-0x00000000009C6000-memory.dmp

Filesize
344KB

Download
memory/2356-77-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-52-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-20-0x0000000022B00000-0x0000000022D5F000-memory.dmp

Filesize
2.4MB

Download
memory/2356-35-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-36-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-53-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2356-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2396-696-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2396-694-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2396-692-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-3375-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-3466-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-3551-0x0000000022710000-0x000000002296F000-memory.dmp

Filesize
2.4MB

Download
memory/2764-3572-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-2636-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-3637-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3220-1424-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3220-999-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3220-996-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3292-146-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3400-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/3400-85-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-11-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3400-1-0x0000000000C10000-0x0000000000C78000-memory.dmp

Filesize
416KB

Download
memory/4044-2791-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4240-121-0x0000000072640000-0x0000000072DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4240-101-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/4240-104-0x0000000072640000-0x0000000072DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4240-100-0x000000007264E000-0x000000007264F000-memory.dmp

Filesize
4KB

Download
memory/4952-2192-0x00000000004D0000-0x0000000000538000-memory.dmp

Filesize
416KB

Download