lumma | dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01

Analysis

max time kernel
33s
max time network
73s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a95bf64bb82802b60c903d8c870f61d.exe
Size

404KB
MD5

9a95bf64bb82802b60c903d8c870f61d
SHA1

d889bcfdd4228927887e2eadfeb4030ea5424e13
SHA256

dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01
SHA512

57f5baaea6a32468ab1c13771a9974b6986a308f3f98c7d26b78ae085d6ba5596ed2a46b43fb42b5834e0d8e086a110989ed929591941ae213019d19ca352111
SSDEEP

6144:lLhXbAjomx3DQIW4k283tPTw5hO8uNzPIE9TYFwjJUJZqAEuAQXEO:lL9bpmxDQIbkdwKrIGiwj0ZoQXEO

Score

10^/10

lumma vidar 8b4d47586874b08947203f03e4db3962 c7664db1b2143bb72073c634fc34cfef credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

c7664db1b2143bb72073c634fc34cfef

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://underlinemdsj.site/api

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/2536-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-21-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-20-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-16-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-12-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-162-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-189-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-215-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-234-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-365-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-384-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-427-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2536-446-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-635-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-633-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-632-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-629-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-627-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/268-625-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2228	JJJEGCGDGH.exe
1548	BFHDHJKKJD.exe
2140	BAKFBKEHDB.exe

Loads dropped DLL 14 IoCs

pid	Process
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 2228 set thread context of 460	2228	JJJEGCGDGH.exe	35
PID 1548 set thread context of 268	1548	BFHDHJKKJD.exe	40
PID 2140 set thread context of 1852	2140	BAKFBKEHDB.exe	41

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFHDHJKKJD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAKFBKEHDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a95bf64bb82802b60c903d8c870f61d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJJEGCGDGH.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1720	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe
2536	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 1480 wrote to memory of 2536	1480	9a95bf64bb82802b60c903d8c870f61d.exe	30
PID 2536 wrote to memory of 2228	2536	RegAsm.exe	33
PID 2536 wrote to memory of 2228	2536	RegAsm.exe	33
PID 2536 wrote to memory of 2228	2536	RegAsm.exe	33
PID 2536 wrote to memory of 2228	2536	RegAsm.exe	33
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2228 wrote to memory of 460	2228	JJJEGCGDGH.exe	35
PID 2536 wrote to memory of 1548	2536	RegAsm.exe	36
PID 2536 wrote to memory of 1548	2536	RegAsm.exe	36
PID 2536 wrote to memory of 1548	2536	RegAsm.exe	36
PID 2536 wrote to memory of 1548	2536	RegAsm.exe	36
PID 2536 wrote to memory of 2140	2536	RegAsm.exe	38
PID 2536 wrote to memory of 2140	2536	RegAsm.exe	38
PID 2536 wrote to memory of 2140	2536	RegAsm.exe	38
PID 2536 wrote to memory of 2140	2536	RegAsm.exe	38
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 1548 wrote to memory of 268	1548	BFHDHJKKJD.exe	40
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41
PID 2140 wrote to memory of 1852	2140	BAKFBKEHDB.exe	41

C:\Users\Admin\AppData\Local\Temp\9a95bf64bb82802b60c903d8c870f61d.exe
"C:\Users\Admin\AppData\Local\Temp\9a95bf64bb82802b60c903d8c870f61d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\ProgramData\JJJEGCGDGH.exe
    "C:\ProgramData\JJJEGCGDGH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:460
- - C:\ProgramData\BFHDHJKKJD.exe
    "C:\ProgramData\BFHDHJKKJD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:268
- - C:\ProgramData\BAKFBKEHDB.exe
    "C:\ProgramData\BAKFBKEHDB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHDBKFHIJKJ.exe"
        5⤵
        
        PID:1084
      - C:\Users\AdminHDBKFHIJKJ.exe
        
        "C:\Users\AdminHDBKFHIJKJ.exe"
        6⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDBGHJEBKJE.exe"
        5⤵
        
        PID:532
      - C:\Users\AdminDBGHJEBKJE.exe
        
        "C:\Users\AdminDBGHJEBKJE.exe"
        6⤵
        
        PID:2132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDGIECGIEBKJ" & exit
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CAEHCFCBKKJD\EGIJKE

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\CAEHCFCBKKJD\GHIJJE

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\CAEHCFCBKKJD\GHIJJE

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\GCGHIIDH

Filesize
92KB

MD5
e248975fcae2fff4649630d9421bd44e

SHA1
283f382e83b0767a0cd6b2d54bce3c1c315c60d6

SHA256
2e7470ccd25b6d7e9606f29643dbda3e3a4ef3f0575b2d074986c80cf8b148d2

SHA512
9bd5cf49a7773811d72be905cc8dfc2310f82899553c6f598a52b5dc261fc26191462855fdba8b3a83c8a317faed71a1a134df83f338c6c9442ee792cdf7428f

Download Submit
C:\ProgramData\JDHCBAEHJJJKKFIDGHJE

Filesize
6KB

MD5
2953744122e39dcfecea78e1e2c1873d

SHA1
de6eb033f8c462ed4cbb28c47ba97e2ac8e6630e

SHA256
f352c7b0f1d8f402102e3ea11e86795cccc21be5b6ca54db5e1b8885dbbb0ac3

SHA512
187ad2916e1da0e3ee950d79979e45b9e143c266c0eb89d58ceeb884b9729986bd80bba29681e7dd15b603c325bf6d06ca4504a2ea655070af7856c06b9701e8

Download Submit
C:\ProgramData\freebl3.dll

Filesize
122KB

MD5
f0d318a86abb0fceed73cabec867681e

SHA1
14866601d82fcd548e42c2b4312645d64e2e6fbe

SHA256
f0b6fe13ef4db05dcc4c9530938d6d6ada1fac18b0493bc91ab75a3a5efcb2d7

SHA512
1a949600e890ffd7b361cd16b3b7549b33d15bbd9b8bfb17dcb276742082b65a4193e1b6da0d4ee4a27ddf1ffe4040036abd73f9db7a8d38e15f20a2621abcb1

Download Submit
C:\ProgramData\mozglue.dll

Filesize
11KB

MD5
3016af45a4c7045b394c9a131197754e

SHA1
04ddb46a00ec97a965f199fdc80bb5eb1088a5c0

SHA256
077707610bbfd5f1e371e5eebbf263de599863ae3fe3c3ca93bbe8a70eb3aedc

SHA512
1bae6407a7870c2e0720b548b4e9b5855d2a1b155ad13be48173fb3625abe4141b94d1fbbbc32f177b5646dfe929de863e9bd68794c344cda5b304e927b01244

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
122KB

MD5
c9f1f017b25132bfd096141842d6a5ee

SHA1
524f95a671d0bf47e80702014d4a28d7c290ff2b

SHA256
73033ad8b8c507d951937f2ab334313b256a0b7effbaa4433cfb075c2340f451

SHA512
bb490f4b60bd8fcb1db80933f274abb75a829ad67ee1afed16d19e77e760f866ccd7bdf9a9c87b54300692bb44610ad1bdc4197e2ea80c18472256e529d5c667

Download Submit
C:\ProgramData\nss3.dll

Filesize
144KB

MD5
5b286acad456d029cfc2c6b0b5734e98

SHA1
776f09658d627aa2fc056ab2d1a2686a3576b5be

SHA256
01ad7ade90fda2ce4ebb19b7710b4c5a832be391d472278c5938e4587d78d2e4

SHA512
a0bfa72aeb68913792b42d7b910ee13552e88efe1b21620b7f6e4e82baa344e707e4c382c8addb231e77266c223396c6a878975d172ddd8991caed8dafb6a682

Download Submit
C:\ProgramData\softokn3.dll

Filesize
87KB

MD5
842ccb3e9856570ec670bd0fd5adae21

SHA1
08de064c41f237c0502bc71849a8654cd2ab3272

SHA256
945bad97952b8789cccea0cf0a62b6e96dfd517de2dc81e4142b849462cf6e05

SHA512
475f8850962c66e717382aa0454fcd49b6430e2e1ea4dcd62192a0b783a9942b69d3f959491f02cd52ad148058c5ded5921c47e0971a74253d22dd58a4c3e79a

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
53531d3b1632c42fbb5282b61f41eb70

SHA1
3e57dd0a3966162c6bf62d02cef4abcff03c1159

SHA256
b949b4e92e2803878a2b71476a58d2cbfd53c95ab7bb1583ce4e77398f135105

SHA512
60d25185037c526ac8a8c928891c2ea5fe3a5d8d24fd536b36bdaea07953350aa25c45038c5b0db4166912da3ea502a959dd4de7dd6f602d2d6cdd1d349c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e5310c7f8581629b834ae9ad316bb22

SHA1
46307845ad73c73148ee4903415e7d0fc922ba0d

SHA256
aef0668d7d913ab55be3f6e54f92e1feb30c8e6bb6b61e2fa834fb2812a19e04

SHA512
00284a21fabcbe7bbde241a3140a0ecd06102492980555c4a6f067d61c0b314350e68d79b0bd3e0535db33ac375700727583c380dc3b243a43c5ca6100ecd3ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c6aaa934cdac9e6926e80cdd86e22bb

SHA1
acb8f139618c4ec48e108c096bace3652ec30a9f

SHA256
17f2eee52c7dca137300330a759ac5d0e772b0e210037c7397879c332c683034

SHA512
1fb515cf8e61fc40a7fb82e17fbd201e8fd426bf4bbda3fef8cbfd67125a082a02b85c4017e7aa2d452b67827550a28928a35ade0fb86a41bec79dcf6337bab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
d2364ae8e296acbe75749da135052881

SHA1
37e153853b42e88107ec7f2ba6b55edf77a89815

SHA256
dbd43d1b1363ab6c1f14f0cf11d732d858e51bb6ada1b484d88b52d189cf7195

SHA512
fd5e45254296def02531efcd620efb69e89e870a1ae120348190c4e8f6af2652a16311b4ebf06bfa8ffdbed9bf1bdb75456b4cab9dfb5460f6e7fe80c1521bd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cce58a476b78846a99677526aeb0c88f

SHA1
d4a8da970c32c867b8599ed00b42c63454d9099f

SHA256
7be4cdfc4b4a489fd5ef66243235d612ea8bcecefa19c8859e948a4524558296

SHA512
fea8dd4ac59d1f712e02b376935b168caf860d299cb60475469d4fc0e5bfe34ee2cb942418377cb19052999e5ceb3a5dc9665afd7113ce4aac7f33c1c359baf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\76561199780418869[1].htm

Filesize
33KB

MD5
adbf321f8271de75c59fbf24515394cb

SHA1
bf47e7af59ef9eeccf292fe4304d7a03290d6d69

SHA256
35efe22b824f1ba9ad223c2a41895829ea441198040c6c40626ba401fc7f8dd9

SHA512
a6934ed2d9a59cef83b14b77922926961751b2c62a639e380910bb7b8b277d0fbcceda2de4c3ac39e4612dc4af08c1f769d34536de9379238b4c95aa22667b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\76561199780418869[1].htm

Filesize
33KB

MD5
09a9c38856c5b6f0c8a794a224de2887

SHA1
3ec4c25f5a5a564c1d3f56dbf40543af7f3ff1d8

SHA256
fe38ab68ece82cda5ad4d450786d6566d2c7478f4e5622ba1fe73dfdc3d1830c

SHA512
708e4f5b060f68db80faee44fd9dce1d4ec704ecc7a85f26c7530eab98488b086418d4de179f99ba393f154d3cdc7fb893e4df62ac28f91d1f9cfe8dbae3eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA69D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA6DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\BAKFBKEHDB.exe

Filesize
327KB

MD5
dfd49d1326704cfeee9852999782e4b6

SHA1
4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4

SHA256
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

SHA512
fe9e9537f76bf36b6e6abd340ef135d5d017bb2b067239f6871f5a8952d2a5b823dd89838b8d31a928b40a1a70bd83010e5f3f49905672fbcd74b763d65504bf

Download Submit
\ProgramData\BFHDHJKKJD.exe

Filesize
404KB

MD5
4f828f95c11479c61692052d9254022a

SHA1
68f1fbe839f2d41f434bdde176ccc3e6f38ec503

SHA256
00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a

SHA512
91cc6dc01a62337c542c31337057653c5e41ae7b88621bc1041786a260a5b78fb834869ce8aeca05ab8263c45a41fa7833ee262440d157206b1ddae675d814f5

Download Submit
\ProgramData\JJJEGCGDGH.exe

Filesize
372KB

MD5
8a73502b83ceb6b31b9fefb595876844

SHA1
41094748fdc11cd79057c14c39210d6833a25323

SHA256
af60c2dd60ece7f8e83870b22b1c5c0e095c9c3669171c16eaaff406cda6eeb2

SHA512
e5bf9b9b78c8306c13df04db83bbe4c76f0914fffde4bd584a5b96da5150102167df61b1315382a5af68038c2d3cdbd2e2414082659757c402979d3c3772b82c

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/268-629-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-627-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-625-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-632-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-633-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-635-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-621-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/268-623-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-529-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/460-536-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-533-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-531-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-528-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-526-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-524-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-522-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/460-527-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1004-806-0x00000000011B0000-0x0000000001218000-memory.dmp

Filesize
416KB

Download
memory/1480-17-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/1480-4-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-2-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-1-0x0000000000F60000-0x0000000000FC8000-memory.dmp

Filesize
416KB

Download
memory/1548-573-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/1852-639-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1852-641-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2132-835-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2140-591-0x0000000000EE0000-0x0000000000F36000-memory.dmp

Filesize
344KB

Download
memory/2228-508-0x00000000736EE000-0x00000000736EF000-memory.dmp

Filesize
4KB

Download
memory/2228-510-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2228-520-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-535-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-537-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-162-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-201-0x0000000019FB0000-0x000000001A20F000-memory.dmp

Filesize
2.4MB

Download
memory/2536-12-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-16-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-215-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-20-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-21-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-189-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-234-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-365-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-384-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-427-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2536-446-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download