lumma | 836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

Analysis

max time kernel
42s
max time network
76s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

413KB
MD5

237af39f8b579aad0205f6174bb96239
SHA1

7aad40783be4f593a2883b6a66f66f5f624d4550
SHA256

836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
SHA512

df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d
SSDEEP

12288:hQq9JI/vWhNOAE2wMUZ0iR4HHW02AEPzYhDU9qcEO:5JXfOATt3202AHhD5ct

Score

10^/10

lumma vidar 8b4d47586874b08947203f03e4db3962 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/2720-7-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-13-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-15-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-159-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-178-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-212-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-246-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-362-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-383-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-424-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2720-443-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
272	GCGHIIDHCG.exe
2488	JDAKJDAAFB.exe
2824	HJJKJJDHCG.exe
852	AdminJEBGCBAFCG.exe
2976	AdminAAKEGIJEHJ.exe

Loads dropped DLL 15 IoCs

pid	Process
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2180	RegAsm.exe
2180	RegAsm.exe
2584	cmd.exe
1872	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2720	2140	file.exe	31
PID 272 set thread context of 2260	272	GCGHIIDHCG.exe	39
PID 2488 set thread context of 2656	2488	JDAKJDAAFB.exe	45
PID 2824 set thread context of 2180	2824	HJJKJJDHCG.exe	49
PID 852 set thread context of 2172	852	AdminJEBGCBAFCG.exe	62

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	2260	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminAAKEGIJEHJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HJJKJJDHCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDAKJDAAFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GCGHIIDHCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminJEBGCBAFCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2340	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2720	RegAsm.exe
2656	RegAsm.exe
2180	RegAsm.exe
2180	RegAsm.exe
2656	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2140 wrote to memory of 2720	2140	file.exe	31
PID 2720 wrote to memory of 272	2720	RegAsm.exe	34
PID 2720 wrote to memory of 272	2720	RegAsm.exe	34
PID 2720 wrote to memory of 272	2720	RegAsm.exe	34
PID 2720 wrote to memory of 272	2720	RegAsm.exe	34
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 2000	272	GCGHIIDHCG.exe	36
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 1332	272	GCGHIIDHCG.exe	37
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 832	272	GCGHIIDHCG.exe	38
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 272 wrote to memory of 2260	272	GCGHIIDHCG.exe	39
PID 2260 wrote to memory of 1472	2260	RegAsm.exe	40
PID 2260 wrote to memory of 1472	2260	RegAsm.exe	40
PID 2260 wrote to memory of 1472	2260	RegAsm.exe	40
PID 2260 wrote to memory of 1472	2260	RegAsm.exe	40
PID 2720 wrote to memory of 2488	2720	RegAsm.exe	41
PID 2720 wrote to memory of 2488	2720	RegAsm.exe	41
PID 2720 wrote to memory of 2488	2720	RegAsm.exe	41
PID 2720 wrote to memory of 2488	2720	RegAsm.exe	41
PID 2720 wrote to memory of 2824	2720	RegAsm.exe	43
PID 2720 wrote to memory of 2824	2720	RegAsm.exe	43
PID 2720 wrote to memory of 2824	2720	RegAsm.exe	43
PID 2720 wrote to memory of 2824	2720	RegAsm.exe	43

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\ProgramData\GCGHIIDHCG.exe
    "C:\ProgramData\GCGHIIDHCG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 256
        5⤵
        Program crash
        
        PID:1472
- - C:\ProgramData\JDAKJDAAFB.exe
    "C:\ProgramData\JDAKJDAAFB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2656
- - C:\ProgramData\HJJKJJDHCG.exe
    "C:\ProgramData\HJJKJJDHCG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJEBGCBAFCG.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
      - C:\Users\AdminJEBGCBAFCG.exe
        
        "C:\Users\AdminJEBGCBAFCG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAAKEGIJEHJ.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1872
      - C:\Users\AdminAAKEGIJEHJ.exe
        
        "C:\Users\AdminAAKEGIJEHJ.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GIEGHJEGHJKF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FHCGCAAKJDHJ\CBFIIE

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\FHCGCAAKJDHJ\CBFIIE

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\FHCGCAAKJDHJ\IEGCAA

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\GCFIIEBKEGHJJJJJJDAA

Filesize
6KB

MD5
47a9922b7d7e8a12d5d3b904e28ff3c6

SHA1
18f7b6ba8df12067084ad4a1ed052beb9d9be861

SHA256
0c526f390d22be8bcbb3de376aec632c6c872e8e29278e9a12f4dc6aa66e201a

SHA512
56395dc7ea17dc68a426f011635cce81e9828df4dc3e3d8d0aaa1546f495fdefcd298a7d1ebd090d9126fee6e98125a75bb813d67b2419e5c4914edfdf49f751

Download Submit
C:\ProgramData\HJDBFBKK

Filesize
92KB

MD5
e248975fcae2fff4649630d9421bd44e

SHA1
283f382e83b0767a0cd6b2d54bce3c1c315c60d6

SHA256
2e7470ccd25b6d7e9606f29643dbda3e3a4ef3f0575b2d074986c80cf8b148d2

SHA512
9bd5cf49a7773811d72be905cc8dfc2310f82899553c6f598a52b5dc261fc26191462855fdba8b3a83c8a317faed71a1a134df83f338c6c9442ee792cdf7428f

Download Submit
C:\ProgramData\HJJKJJDHCG.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
C:\ProgramData\freebl3.dll

Filesize
17KB

MD5
56b9b01de3282fcb7ead7190344d4894

SHA1
37887894647859a2013ad35893e1b5a7c6745260

SHA256
14cc9da93c9fd0e0c31e6bac04e303cfa423769a670ffd0fd6e5a2d113041b44

SHA512
d3621893907f544c7b7ffeba2c5c95612ed99408c5ad5d9c01f2aa21fc1499b4c9d26caf5e578f78428860cc35f1d0666913989f5beb09a98ddbbfd4d701a624

Download Submit
C:\ProgramData\mozglue.dll

Filesize
1024B

MD5
ef8872dbb1e0de26c4daadb4e2ba1231

SHA1
3d2931acbf70418c2e5d997efb92191a0aa1c370

SHA256
3c3473cd478011ef47a57b88ec6fda2427c944085bbb929bbde6ed88ba4cd624

SHA512
68aafdca48c3830d035fecec97fecfbe11f7691561e53cd9b8c126bc0a9675056f807869f6248ad9e3d8f6dcf0a5d7ce8355490aec7e2a09376ac0673a6392c4

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
116KB

MD5
61ab75924a4c4f1cb2de0fcb1ea4af4f

SHA1
f9b7e2601163d1a355230c0acde21b7027386bac

SHA256
1f3c3b9e41bdd48a9673114a6b0212f3b3de0f4e20a814592847162421f3d116

SHA512
2e5fe3e269d8cece49a1ea266e5106d829a5239bc32a23693df7347f343bb1d7b2600c433186f97b53610cddcb52dabe47244fe242038ff4ff31525fb4404b14

Download Submit
C:\ProgramData\nss3.dll

Filesize
83KB

MD5
7b94fb0cdcaff263f2cf6dd3ed5992d1

SHA1
56ca4230041a0f3a080d53dc1a7c6cd71a01accc

SHA256
ae61243c03a012300f58ccf34c3d02a80f824c848d79a6ba0522d13b2c82a143

SHA512
d623a3298247e067d0a92dc5d8f2a88caa68856aeeace98c4def9a6206bc3fa207c2d9b2467a9e978ad4a536e44e054bf6a6a5fec33cc35161a806760d51a6e7

Download Submit
C:\ProgramData\softokn3.dll

Filesize
97KB

MD5
2a519486c5e68bf067db2654de94090f

SHA1
d9e4404dee78d2fb5809b8911c706cf228788e9c

SHA256
3d8ee463f2b7f2e85bf1c7c744540f4e3b4fbe6f256d28c1c00498012d5f81bb

SHA512
5c68fc8cc9e45d0c753fa666c5da125a9645752c414a4450772053166419a68cd0d1b5fa8badbffe24546eadf1f2c290c4fecaa8f07431d4308dbc9c89beb3a3

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
4KB

MD5
b24c62e1b4995de7e46d27a39a26454e

SHA1
d9f928a643501936ddef2013bcd7375e09a94da6

SHA256
8383fb98ea7e95d41ea3b4f7c2956f37bd23168780260eb97dbdfe516bf6a482

SHA512
f611fa714361de9f7dd618e1f3cd9a344c17bd0cb3703ac01da2c5c7402c650b9b4ffdffcddf71505887931ad4f2489db8f7833e3b6d101d1d91aa752cb54ddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
53531d3b1632c42fbb5282b61f41eb70

SHA1
3e57dd0a3966162c6bf62d02cef4abcff03c1159

SHA256
b949b4e92e2803878a2b71476a58d2cbfd53c95ab7bb1583ce4e77398f135105

SHA512
60d25185037c526ac8a8c928891c2ea5fe3a5d8d24fd536b36bdaea07953350aa25c45038c5b0db4166912da3ea502a959dd4de7dd6f602d2d6cdd1d349c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52686ead8bb8e09d2f81fd9e918f4b26

SHA1
0a44bd48d6d6827bd842155eb81edec3b422eb06

SHA256
2ed0f1d89da7aec2131395828f1e191956f65b32bcd885195559452e261373df

SHA512
8c71c85524d8c7c04961df9d8739d586411bd2cb80d02fba805145251162c49cab032e5f44c288f223370cd4bf2782ac086d4aa947106a2388be7858b5687de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e9fd0a9bf32263a152508c356f68271

SHA1
adc677246ced9d8df380ef515e7a04e252cf99c4

SHA256
7e83b965067bc5fa3ea0cdffbf68368875dcadde6e23107e033d1ff354461083

SHA512
20c6f58e787a0d0809051f1a72e0c3f5f6631b4ec137211a023b770578809eb06d42f0faeb57f38aa84983241b09e5891fb13163d023db4ac6464d569c05b617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
c8d0acd173f476fe8e799d86b28ad9d8

SHA1
89c83847ded73ee6ed90ce33568fe6f82cc7ab83

SHA256
1245c403582a5ccef4943b84de82777de581642edbc44d723daefdfc1c9a9f1e

SHA512
11678073b0f40f0cc82df135453eb72257e27f15180d15329c5cea6f01bbc9726c2dc7080a13665029978f8a6a977495115058532e39ed2a6016252443021ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d8f5cb9a5226954ff96eb9961bd9791d

SHA1
ad83e565a480ea55bb72464a00e73ee4070bf088

SHA256
ca682db6e3c193161a552353d8586cf1f1b96c256e86d5fdb5beaefab7941f01

SHA512
cb7275bcf52700e4c23cd7cf826732a33f607d7af0a4fac71a3d620cef1ed93348ade38827210a1cc097be177e5d1d90d89d41399f46625cbdf4d36e1122a543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\76561199780418869[1].htm

Filesize
33KB

MD5
5d6984a11955044ae8c5572812bd5b2a

SHA1
ae7a0fa96a093cc37d80f999ce9c352ea2f23936

SHA256
14bfb7fa8cf104e1fe189bb51307d6f73b5db05a6295929c441d68cdea49e772

SHA512
2cec393e6cb913c47074a27f750a6d1450d77930781a9b3dc61bd20ea51e1ab19a62400d7ad3ca154287d5ca67eaef2176ba9644ebbcf91b17d9686d085228b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\76561199780418869[1].htm

Filesize
33KB

MD5
8562fbbbcc18bbfd03dcbff40662a37a

SHA1
b01842bfe83915a4648be88927c8d8b3759d1ab4

SHA256
3621a086c79dec778eb1e9091b389e5d87bfec15e97b51b5fea5c1eeea3f881c

SHA512
ee1ad080d49283ca4c6e590d278186acf7eb105b2af763e32344462a40e7a8a94ef80027c5dee99c9c9155822597527b31d9091d507b08ae8e1644b792edb17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab81A0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8230.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\GCGHIIDHCG.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\JDAKJDAAFB.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/272-530-0x0000000072AA0000-0x000000007318E000-memory.dmp

Filesize
6.9MB

Download
memory/272-527-0x0000000072AA0000-0x000000007318E000-memory.dmp

Filesize
6.9MB

Download
memory/272-503-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/272-504-0x0000000072AAE000-0x0000000072AAF000-memory.dmp

Filesize
4KB

Download
memory/272-505-0x0000000072AA0000-0x000000007318E000-memory.dmp

Filesize
6.9MB

Download
memory/852-857-0x0000000001010000-0x0000000001078000-memory.dmp

Filesize
416KB

Download
memory/2140-8-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-2-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-0-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/2140-16-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-1-0x0000000000A30000-0x0000000000A98000-memory.dmp

Filesize
416KB

Download
memory/2180-643-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2180-641-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2180-639-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2260-519-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-517-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-521-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-523-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-518-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-524-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2260-529-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2260-526-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2488-565-0x0000000001170000-0x00000000011D8000-memory.dmp

Filesize
416KB

Download
memory/2720-212-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-424-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-383-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-362-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-246-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-198-0x000000001FE50000-0x00000000200AF000-memory.dmp

Filesize
2.4MB

Download
memory/2720-178-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-159-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-15-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-4-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-443-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2720-13-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2824-590-0x00000000010A0000-0x00000000010F6000-memory.dmp

Filesize
344KB

Download
memory/2976-864-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download