buer | 836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe
Size

413KB
MD5

237af39f8b579aad0205f6174bb96239
SHA1

7aad40783be4f593a2883b6a66f66f5f624d4550
SHA256

836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
SHA512

df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d
SSDEEP

12288:hQq9JI/vWhNOAE2wMUZ0iR4HHW02AEPzYhDU9qcEO:5JXfOATt3202AHhD5ct

Score

10^/10

buer lumma vidar 8b4d47586874b08947203f03e4db3962 credential_access discovery loader spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

lumma

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

https://absorptioniw.site/api

https://gravvitywio.store/api

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Detect Vidar Stealer 17 IoCs

stealer

resource	yara_rule
behavioral1/memory/3020-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-13-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-25-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-22-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-17-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-11-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-164-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-183-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-217-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-236-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-316-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-368-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-387-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-430-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-449-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-662-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
664	GDBFHDHJKK.exe
992	BKJKJEHJJD.exe
3024	CFBAKKJDBK.exe
1912	AdminHIEHDAFHDH.exe
2972	AdminGCGHJEBGHJ.exe

Loads dropped DLL 15 IoCs

pid	Process
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
2824	RegAsm.exe
2824	RegAsm.exe
2848	cmd.exe
2964	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 664 set thread context of 1772	664	GDBFHDHJKK.exe	37
PID 992 set thread context of 2124	992	BKJKJEHJJD.exe	41
PID 3024 set thread context of 2824	3024	CFBAKKJDBK.exe	44
PID 1912 set thread context of 2752	1912	AdminHIEHDAFHDH.exe	58
PID 2972 set thread context of 2096	2972	AdminGCGHJEBGHJ.exe	59

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFBAKKJDBK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKJKJEHJJD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGCGHJEBGHJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDBFHDHJKK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHIEHDAFHDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1028	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
3020	RegAsm.exe
2824	RegAsm.exe
2124	RegAsm.exe
2124	RegAsm.exe
2824	RegAsm.exe
2752	RegAsm.exe
2752	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 2180 wrote to memory of 3020	2180	836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe	32
PID 3020 wrote to memory of 664	3020	RegAsm.exe	35
PID 3020 wrote to memory of 664	3020	RegAsm.exe	35
PID 3020 wrote to memory of 664	3020	RegAsm.exe	35
PID 3020 wrote to memory of 664	3020	RegAsm.exe	35
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 664 wrote to memory of 1772	664	GDBFHDHJKK.exe	37
PID 3020 wrote to memory of 992	3020	RegAsm.exe	38
PID 3020 wrote to memory of 992	3020	RegAsm.exe	38
PID 3020 wrote to memory of 992	3020	RegAsm.exe	38
PID 3020 wrote to memory of 992	3020	RegAsm.exe	38
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 3028	992	BKJKJEHJJD.exe	40
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 992 wrote to memory of 2124	992	BKJKJEHJJD.exe	41
PID 3020 wrote to memory of 3024	3020	RegAsm.exe	54
PID 3020 wrote to memory of 3024	3020	RegAsm.exe	54
PID 3020 wrote to memory of 3024	3020	RegAsm.exe	54
PID 3020 wrote to memory of 3024	3020	RegAsm.exe	54
PID 3024 wrote to memory of 2824	3024	CFBAKKJDBK.exe	44
PID 3024 wrote to memory of 2824	3024	CFBAKKJDBK.exe	44
PID 3024 wrote to memory of 2824	3024	CFBAKKJDBK.exe	44
PID 3024 wrote to memory of 2824	3024	CFBAKKJDBK.exe	44

C:\Users\Admin\AppData\Local\Temp\836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe
"C:\Users\Admin\AppData\Local\Temp\836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\ProgramData\GDBFHDHJKK.exe
    "C:\ProgramData\GDBFHDHJKK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1772
- - C:\ProgramData\BKJKJEHJJD.exe
    "C:\ProgramData\BKJKJEHJJD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2124
- - C:\ProgramData\CFBAKKJDBK.exe
    "C:\ProgramData\CFBAKKJDBK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIEHDAFHDH.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Users\AdminHIEHDAFHDH.exe
        
        "C:\Users\AdminHIEHDAFHDH.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGCGHJEBGHJ.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Users\AdminGCGHJEBGHJ.exe
        
        "C:\Users\AdminGCGHJEBGHJ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAAAAFIIJDB" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1880325643-20474651411183102716-137549090318293008871030689389-20080243241954259438"
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAAAAAAAAAAAAAAAAAAA

Filesize
6KB

MD5
f5cf0f8a638fcd8228e9493d27cbed25

SHA1
47dde7ed80b20c75b0c0c37fa8256cca159c133d

SHA256
26d9f343033ac39da30e28d96120f157266803aa66bacf4b8f0f309677a35fdc

SHA512
12d987931f0358d55f18350b81df7c3d00f84e973193f046d0a3f721226d594d2e88ed3d1116b213e773d599268686cb2a3d18d5c096fe571abed26b19b74c48

Download Submit
C:\ProgramData\BKFBAECBAEGD\AAFBAK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\BKFBAECBAEGD\FBFHDB

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\CFBAKKJDBK.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
C:\ProgramData\JKEBFBFI

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\ProgramData\freebl3.dll

Filesize
1024B

MD5
f72a1b546b4cdd0c3f156e2f9b67f50e

SHA1
9bb32d0b3cea3007b4611cc58b74fa7427c15ac5

SHA256
7da29fc9694899f3aee0bb5a886e8f6126fddd29176cd583010924c33355b3d8

SHA512
55b920896c79c0c1aa373eb83f48e0f284d6c65d8f2972f88c59475a69c82cbb4978405994f21db08da48a34c4f23c7fa1713abf180f153df466ad34dc3ea2b9

Download Submit
C:\ProgramData\mozglue.dll

Filesize
6KB

MD5
c6e08bac0f6c26f1630bf2f74b1c9ca4

SHA1
be2516f41edaf3fb7a8f142400d177338d880f1d

SHA256
5733d2250190da9e12660a6f0470b1f28782968e4d68b7967e027d1f40e2c685

SHA512
e2f0bf814b7e053899c0146a2d3a5e03feadd03cf30513f3c5e349b5cb3cea638c33aac3bc5954f9fd0002b76746ce4b92863be662220f5f5705b9a2286c9b23

Download Submit
C:\ProgramData\softokn3.dll

Filesize
51KB

MD5
ff088b492b3498455d72a226239a574e

SHA1
76c7e45de7c821e97cbe8b232dfec41dd8ea6183

SHA256
9d992bf3f8a5b82ddc3a9f92cc80614d728c298f3c7c5cabd605185cfb7e7688

SHA512
9deb4ad513342a5a5b7a03faf39e9ab022cfbedf304aaec8087c0ef387bd10c3c917872a792b0b9515687df4470cd2fb8f1d2b2f5b9a381d5350332c353059c0

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
1024B

MD5
b82fcea38722d7a2b82e366e2dcabeeb

SHA1
8e2ac40ca1915b45e15b8a84647d0c5d6f9441d9

SHA256
a6fca6a2f37912cb23f6baee9dc5e606c9f43559a483b0bcce7cdc28e262d277

SHA512
fddb1f635f3f4588a8ee4057c618a8620c509a366856c429bd111802b091844422caa1d3bead9ba2f7412274086ae1fb096bfd3895b85b78f09636d179424b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c7f2d90f5c90ba421c96700249027a64

SHA1
826e331f623ac31cb6d8c470b2b4b64417a69fec

SHA256
83957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c

SHA512
8fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e87e93f287c62e0480e13cfeb0bafce

SHA1
b6e36a6bd51609653e1583948e4bc1555bb45afc

SHA256
cc8220489c7662241289b35b632a58135f7b9041c59b008f1c33fd9d4b3b1622

SHA512
985cfd7bde0212a38a5732d5918d3f98c82bc6e8b78453cc31d24d9923914d1db51868983a502966ebc64e03c8c773c37f530efb2ab2507c525bd454b51bddbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc97c4d3ad28dadc8457052a199fc245

SHA1
1267106e43bd3bfeaaea9b349c9612d440d8d238

SHA256
ffbe8389c400b8fc68528554b94c7a04fe9e9efd377b602fa6a72b97ba8730aa

SHA512
5ea9920e4d41e9f31f93d7d60163b8fb1be53268e5461d0cd1f0756b1ba29b9b376e7c3ab9cf8829745ec78718e1fb2fd8f3483c134e0346a5260a7018819cf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
a7cba28726d52ae4aadbcf8997729575

SHA1
ac1b2c54b083cbc806a05b5fffb91bbce81ee7d1

SHA256
79cb724c58521eb1821e413f9be6317a06f5796bffe78b6b5f5e9dc7f63221ef

SHA512
f6cf318964a4791d0e9ba2136ac7ec8e4b2b54ff70f86641d91bf7ee64d6b0d5714ff29060efa697fe0503a8aa1841feb83169a4dbe57a14d091e363e904865c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
51b6fc106dc600d8679e97f69e585d01

SHA1
1605d978ade2e78c002188af55ccfc0eac7b9808

SHA256
473418e0279554ddf7d5eda3481bcb54d82f5434c220582d4efd9d75dfb62d40

SHA512
1abc406a8a12464dae6dff9cf6041f8d5a70b869dc1fe502aae818761948fd7d2aeb74ee400dbdf02a5b005e9ee00b089a9d59cd5dd164dc069505fad8d92d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\76561199780418869[1].htm

Filesize
34KB

MD5
9759489e592a6dd42c55e6de8b55c516

SHA1
623ba5e69322a955e577be3abb5759d222385652

SHA256
73f65e585026442f70a3d4a11332c2e3d4c1b4759b15f3df4d1eaab600c8565c

SHA512
0c2649cdcecac63496eae3c4cbc776a2c05ff6390e8b0ad4fc2d369cf416bd0ba1d9c13978cf0089a7b8805be1d4e7d1424e9fef271395018d21b674bdf48fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\76561199780418869[1].htm

Filesize
34KB

MD5
66280325beefd0b83b034f321429811e

SHA1
5202f4ffb26725c2eb100169578c8ab8a8c8c724

SHA256
c8756d27f9f7a62fad1f2a1fd242a59f248c416f56cdcf7e52a69c70843fbc04

SHA512
fb88f1cd4a1d7f2f4bffdda3c6daf71bae52e060256453d423fadcf2317e0b613796d9bf4ce169c82cdd70b74c83d3822b8e1808c333bba1c0ebebed0bd69858

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE938.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE95B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\BKJKJEHJJD.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\GDBFHDHJKK.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/664-502-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/664-538-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/664-536-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/664-503-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/664-501-0x000000007327E000-0x000000007327F000-memory.dmp

Filesize
4KB

Download
memory/992-554-0x00000000001C0000-0x0000000000228000-memory.dmp

Filesize
416KB

Download
memory/1772-523-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-529-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-528-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-527-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-525-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-537-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-534-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1772-532-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1912-898-0x0000000001200000-0x0000000001268000-memory.dmp

Filesize
416KB

Download
memory/2180-2-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/2180-4-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-20-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-628-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2972-905-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3020-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-22-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-183-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-164-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-662-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-387-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-11-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-202-0x0000000020300000-0x000000002055F000-memory.dmp

Filesize
2.4MB

Download
memory/3020-17-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-316-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-25-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-13-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-430-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-368-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-217-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-449-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-236-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3024-608-0x00000000003B0000-0x0000000000406000-memory.dmp

Filesize
344KB

Download