lumma | 2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

Analysis

max time kernel
72s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe
Size

327KB
MD5

dfd49d1326704cfeee9852999782e4b6
SHA1

4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4
SHA256

2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
SHA512

fe9e9537f76bf36b6e6abd340ef135d5d017bb2b067239f6871f5a8952d2a5b823dd89838b8d31a928b40a1a70bd83010e5f3f49905672fbcd74b763d65504bf
SSDEEP

6144:b0VDzBghICYEQ4pirMkbnahpDVD9oX8Wnde3Ka+DWYBemn1gGsvYBKKbM3itHqOk:YR6W7dUirtbMpDVD9oX8WnU3Fh+l1gsW

Score

10^/10

lumma stealc vidar 8b4d47586874b08947203f03e4db3962 default credential_access discovery spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

lumma

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

https://absorptioniw.site/api

https://gravvitywio.store/api

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/1916-115-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1916-113-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1916-107-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1916-112-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1916-109-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1916-105-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2612	AdminEBFBKFBGII.exe
2876	AdminHCGCBFHCFC.exe
2352	DHJDAKEGDB.exe
2552	KJKJJEGIDB.exe
1736	BKFCBFCBFB.exe

Loads dropped DLL 15 IoCs

pid	Process
1716	RegAsm.exe
1716	RegAsm.exe
2884	cmd.exe
3020	cmd.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 2612 set thread context of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2876 set thread context of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2352 set thread context of 1832	2352	DHJDAKEGDB.exe	48
PID 2552 set thread context of 928	2552	KJKJJEGIDB.exe	51
PID 1736 set thread context of 2444	1736	BKFCBFCBFB.exe	54

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHJDAKEGDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminEBFBKFBGII.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KJKJJEGIDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHCGCBFHCFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKFCBFCBFB.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2832	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1716	RegAsm.exe
1716	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe
1916	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1972 wrote to memory of 1716	1972	2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe	31
PID 1716 wrote to memory of 2884	1716	RegAsm.exe	34
PID 1716 wrote to memory of 2884	1716	RegAsm.exe	34
PID 1716 wrote to memory of 2884	1716	RegAsm.exe	34
PID 1716 wrote to memory of 2884	1716	RegAsm.exe	34
PID 2884 wrote to memory of 2612	2884	cmd.exe	36
PID 2884 wrote to memory of 2612	2884	cmd.exe	36
PID 2884 wrote to memory of 2612	2884	cmd.exe	36
PID 2884 wrote to memory of 2612	2884	cmd.exe	36
PID 1716 wrote to memory of 3020	1716	RegAsm.exe	38
PID 1716 wrote to memory of 3020	1716	RegAsm.exe	38
PID 1716 wrote to memory of 3020	1716	RegAsm.exe	38
PID 1716 wrote to memory of 3020	1716	RegAsm.exe	38
PID 3020 wrote to memory of 2876	3020	cmd.exe	40
PID 3020 wrote to memory of 2876	3020	cmd.exe	40
PID 3020 wrote to memory of 2876	3020	cmd.exe	40
PID 3020 wrote to memory of 2876	3020	cmd.exe	40
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2612 wrote to memory of 1916	2612	AdminEBFBKFBGII.exe	42
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 2876 wrote to memory of 1700	2876	AdminHCGCBFHCFC.exe	43
PID 1916 wrote to memory of 2352	1916	RegAsm.exe	46
PID 1916 wrote to memory of 2352	1916	RegAsm.exe	46
PID 1916 wrote to memory of 2352	1916	RegAsm.exe	46
PID 1916 wrote to memory of 2352	1916	RegAsm.exe	46
PID 2352 wrote to memory of 1832	2352	DHJDAKEGDB.exe	48
PID 2352 wrote to memory of 1832	2352	DHJDAKEGDB.exe	48
PID 2352 wrote to memory of 1832	2352	DHJDAKEGDB.exe	48
PID 2352 wrote to memory of 1832	2352	DHJDAKEGDB.exe	48

C:\Users\Admin\AppData\Local\Temp\2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe
"C:\Users\Admin\AppData\Local\Temp\2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBFBKFBGII.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\AdminEBFBKFBGII.exe
      "C:\Users\AdminEBFBKFBGII.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\ProgramData\DHJDAKEGDB.exe
        
        "C:\ProgramData\DHJDAKEGDB.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
      - C:\ProgramData\KJKJJEGIDB.exe
        
        "C:\ProgramData\KJKJJEGIDB.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:928
      - C:\ProgramData\BKFCBFCBFB.exe
        
        "C:\ProgramData\BKFCBFCBFB.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIDAAKEGDB.exe"
        8⤵
        
        PID:2848
        
        C:\Users\AdminHIDAAKEGDB.exe
        
        "C:\Users\AdminHIDAAKEGDB.exe"
        9⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEHDAFIJJEC.exe"
        8⤵
        
        PID:1768
        
        C:\Users\AdminEHDAFIJJEC.exe
        
        "C:\Users\AdminEHDAFIJJEC.exe"
        9⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBAAFHDHCBG" & exit
        6⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHCGCBFHCFC.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\AdminHCGCBFHCFC.exe
      "C:\Users\AdminHCGCBFHCFC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AKFIDHDGIEGCAKFIIJKF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\AKFIDHDGIEGCAKFIIJKFCBFBFI

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\BFBAAFHDHCBG\AAAEBA

Filesize
92KB

MD5
a58d87b023e155c10b4e15fdfc6fcb06

SHA1
0ee449b782aeac54c0406adde543f19ecd9dfd38

SHA256
331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

SHA512
1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

Download Submit
C:\ProgramData\BFBAAFHDHCBG\JJJJEB

Filesize
6KB

MD5
d2321cf6167a7ec4be18cfb661ca6112

SHA1
b9bb5bb8cb1c43eafef4bb802364f17beccf21b0

SHA256
635e11fcc94891b19985c980c05960af0b1287c9e21f3801ec9f58c67a35a6bf

SHA512
3c6af2556dc0d58f4d4bb03566ff4b18417e553e663c596cbdf6cc4ee30ef5abcc5523ee8345349d2faea0cf937a81a1f949045d62bede4d0c20cf6ddc44a89e

Download Submit
C:\ProgramData\BKFCBFCBFB.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
19KB

MD5
5c3bd8994ef29829bd252b9b0e5e4eb2

SHA1
1be3723886218bddd924a65ef54eae854972d14e

SHA256
a37803ca8db0514597bb6833d395f27ca4697fa14cf50d88ab6ce2c210afca75

SHA512
eab9009e752aa91996af3fefe8951feb8427989caf3d28944c4cd993a991e930d0f988eb7f30a4c452da9f2056bcedc23e15ad773310c6dc35a9be14193c5626

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c7f2d90f5c90ba421c96700249027a64

SHA1
826e331f623ac31cb6d8c470b2b4b64417a69fec

SHA256
83957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c

SHA512
8fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba1d4fa3393029c572755a9575ad5eb

SHA1
8b069aaa23d3188dbacbfa354d3c8e52e31f3d90

SHA256
1e0c7b53fd68a545da377b05a9df46fa9d7f74acdfb53a085e0257213076498f

SHA512
1d98c6a30cd0d7db344220570ba4a410fd39812b3737629c5247d508724e2f67dd25b67b1c2c7546d950dda0006a429f13f5b4ce32b91fa95339481efd67edd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f130947ed74c5cafb970243ca099a4b

SHA1
3239b97bdc8c9ca5d0d92e831e3d5470365c9349

SHA256
55eed13776f74ab420a81a18ff7b9436fb22f2c5c195ac7f6a7cf2550e21a6d7

SHA512
70d2472acea0447ddd02bd7cbdceecd90014922410888e85a09ba395e80415d2a93db70f5f5d4085fb50fa0d834f7d81b29a791f8ff2a7d47c82fd9f6e1e1142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
ffa8774e51b09a81ce150e962f67ded5

SHA1
af0d972422622d42e0f4efc7a78218188a3a37df

SHA256
a18a4efafea354920aa8c8eb7b2a5114de204e551d824441b5bd366f60069cb2

SHA512
942476aa70b3c759fe5dd20889fd1881c6d185fff23189311163806bafae10d367a584bad8ed06b0e45a3ee5a1fb0cf27a1920ba88328d96dbb12e89e4d3341c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
998bbfbdf4c13adc58c679f213dd7027

SHA1
0cf2d3d691f51e495e50b7a2520feb73a45217de

SHA256
8d6a6bb525ec42f6a83c00f55b72200873c34821b07f765a87658a52d57bea41

SHA512
d4e3c9d964a40504730a91619510b736776b2209bc115285795fa6ba90db6322237ceefda4478af944e282a617179795a5c9f1dbc925c8b7ab62a1ad795de234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\76561199780418869[1].htm

Filesize
34KB

MD5
7996d5582592ee4f42b8e577b0670f5e

SHA1
ee26859e6e03e7ae3ed933960a1d96ec1e1db00e

SHA256
4fc6c4a993bffde537bc563963b58500bc15334edbae3532e3deab7d6ae9ee7b

SHA512
6fccfc07fe6fb2f8890f50639817462abf59aaa8c9f808d5a61a3a0187105a862f3f616f4c47032dfc647528af1b83b5c0c74310a504be37909fc92586a81b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\76561199780418869[1].htm

Filesize
34KB

MD5
1466853b675bf986f62169b68baa8bb6

SHA1
61f25a5260d1b91b6cb7e7b48c8824e636d9ae27

SHA256
f506a249d25c9e33718e980f77c07d0afe66df9a6190c4f2bc7ff110913a9aba

SHA512
189a55ba98673dba82986550fbc59e3990e972f7cf00baaa6a5e419d1234cb2bc0963d269914ede105d5eef6e8485db369856aeb41c2f281ae7993680a86781b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD876.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD8A8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\AdminEBFBKFBGII.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\Users\AdminHCGCBFHCFC.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
memory/1700-134-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-120-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-122-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-124-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-126-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-128-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-131-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1700-132-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1716-572-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-19-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-9-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-10-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-5-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-7-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-20-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-22-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1716-16-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-11-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-14-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-97-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1716-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1736-722-0x0000000000FC0000-0x0000000001016000-memory.dmp

Filesize
344KB

Download
memory/1832-1028-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1916-103-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-115-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-109-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-99-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-112-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-101-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-107-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-113-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1916-105-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1972-17-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1972-4-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-1-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/2352-610-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2484-1021-0x0000000000370000-0x00000000003D8000-memory.dmp

Filesize
416KB

Download
memory/2552-664-0x00000000001B0000-0x0000000000218000-memory.dmp

Filesize
416KB

Download
memory/2612-118-0x0000000072CF0000-0x00000000733DE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-87-0x0000000072CFE000-0x0000000072CFF000-memory.dmp

Filesize
4KB

Download
memory/2612-89-0x0000000072CF0000-0x00000000733DE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-88-0x00000000009F0000-0x0000000000A58000-memory.dmp

Filesize
416KB

Download
memory/2876-96-0x0000000000070000-0x00000000000D0000-memory.dmp

Filesize
384KB

Download