lumma | 3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe

Analysis

max time kernel
25s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe
Size

413KB
MD5

62d163b5e92c65e84a9625b0e94be1c5
SHA1

ef0689df30d24aed60c07826c17824e28e60ad8f
SHA256

3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe
SHA512

c903ff05e9fb024611af52997b466c20db4974fa129aa3bee8966356be9eae050d22e0a39f6bbe8ca1e3a01d63b481ade17b14ff924c8e570cbf57b8604c0338
SSDEEP

12288:y1BT0kmtINYhQSAu/962sRCc8Tft79aaTEO:Hh6YhnFsR4TFxnTt

Score

10^/10

lumma stealc vidar 8b4d47586874b08947203f03e4db3962 c7664db1b2143bb72073c634fc34cfef default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

c7664db1b2143bb72073c634fc34cfef

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

https://absorptioniw.site/api

https://gravvitywio.store/api

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/2712-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-16-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-13-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-159-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-178-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-212-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-231-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-362-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-381-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-424-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2712-443-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-580-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-582-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-579-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-576-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-574-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2296-572-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1660	BFHDAEHDAK.exe
468	JEGDGIIJJE.exe
2216	BKFHCGIDBA.exe

Loads dropped DLL 11 IoCs

pid	Process
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1660 set thread context of 1480	1660	BFHDAEHDAK.exe	37
PID 468 set thread context of 2296	468	JEGDGIIJJE.exe	42
PID 2216 set thread context of 2620	2216	BKFHCGIDBA.exe	45

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFHDAEHDAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JEGDGIIJJE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKFHCGIDBA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2088	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 1780 wrote to memory of 2712	1780	3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe	32
PID 2712 wrote to memory of 1660	2712	RegAsm.exe	35
PID 2712 wrote to memory of 1660	2712	RegAsm.exe	35
PID 2712 wrote to memory of 1660	2712	RegAsm.exe	35
PID 2712 wrote to memory of 1660	2712	RegAsm.exe	35
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 1660 wrote to memory of 1480	1660	BFHDAEHDAK.exe	37
PID 2712 wrote to memory of 468	2712	RegAsm.exe	38
PID 2712 wrote to memory of 468	2712	RegAsm.exe	38
PID 2712 wrote to memory of 468	2712	RegAsm.exe	38
PID 2712 wrote to memory of 468	2712	RegAsm.exe	38
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 1852	468	JEGDGIIJJE.exe	40
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2352	468	JEGDGIIJJE.exe	41
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 468 wrote to memory of 2296	468	JEGDGIIJJE.exe	42
PID 2712 wrote to memory of 2216	2712	RegAsm.exe	43

C:\Users\Admin\AppData\Local\Temp\3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe
"C:\Users\Admin\AppData\Local\Temp\3111b931a7221a2b5ba2b0b7a4e6f51ec5f56d9d11aeb318098796ad411968fe.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\ProgramData\BFHDAEHDAK.exe
    "C:\ProgramData\BFHDAEHDAK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1480
- - C:\ProgramData\JEGDGIIJJE.exe
    "C:\ProgramData\JEGDGIIJJE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2296
- - C:\ProgramData\BKFHCGIDBA.exe
    "C:\ProgramData\BKFHCGIDBA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFIJKEBFBF.exe"
        5⤵
        
        PID:1520
      - C:\Users\AdminBFIJKEBFBF.exe
        
        "C:\Users\AdminBFIJKEBFBF.exe"
        6⤵
        
        PID:2916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFIJDGIJJKE.exe"
        5⤵
        
        PID:2388
      - C:\Users\AdminFIJDGIJJKE.exe
        
        "C:\Users\AdminFIJDGIJJKE.exe"
        6⤵
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGIJKJJKEBG" & exit
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBFCBGCGIJKJKECAKEGC

Filesize
6KB

MD5
86f407005fbf8ddd033fceaf60ed372f

SHA1
0f4c3d920aba3311316aa23969e96a0fd65af2a2

SHA256
778ebb56194b5ba2f52bbdb8b887267cffbd4d8b2d05a84339b813b5387af07e

SHA512
f3496f01baaeeb4fd6bad279fa3074d7258aa83f0c70d1541313958dd381ed17e4b4ec86b245ab1941b7e3625d391c277c4025fa7116566420414716a205b432

Download Submit
C:\ProgramData\DGIJEGHD

Filesize
92KB

MD5
a58d87b023e155c10b4e15fdfc6fcb06

SHA1
0ee449b782aeac54c0406adde543f19ecd9dfd38

SHA256
331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

SHA512
1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

Download Submit
C:\ProgramData\KJKJKFCBKKJD\EHDGIJ

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\KJKJKFCBKKJD\FBAAAK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\freebl3.dll

Filesize
81KB

MD5
aa268cdb9f81940bed06afe72fe43cbb

SHA1
b09277c3b4ef42946be4c6ef79d6f4e0e6c1ab65

SHA256
cf5b64771f35028b997a2b01bb95f4ed106d1f2173ec6cb44e7cc0f2d55f53be

SHA512
494795f5309b2bc6ccee5182dec01165f1f6b46e16318eb6d4460bac2c1b224cb5d127f103e393206ef810a909983a2998d0f32a26bdd50d20659f7401523dac

Download Submit
C:\ProgramData\mozglue.dll

Filesize
117KB

MD5
b0ee8a4da9592c72ea70a18db5d68555

SHA1
62def2c2fd5575980fe7523adfab0cb32d1498c6

SHA256
bcbee8361a2808b1fa8a5f1b7c7df0cf8db0cd17bdc06c8ec7cf199e584c17ef

SHA512
4c06c636773133a1c599bfe430a5be2a723e669c60dc0286fa31a275f891ada410be0bb3fe7954b368878b9a37ceb58c0718d6811850030cb4f164212c6143f7

Download Submit
C:\ProgramData\nss3.dll

Filesize
18KB

MD5
7642e524fff03e9503adcb4300f251d2

SHA1
8b1c256de7f81e21b88c87073914366f7b3cf5e2

SHA256
65114a89a13c3316e8b4844605378260ce92e55092703fbbd3fcbad0ea3d2cc3

SHA512
b89f477be0eb80b437062fe95d101a130be854235f50298130da95b911b4a4ce5bd6e8d63230caa31f65ff8a4039b092e3e0c3748925d54b57b51d97dfef4345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c7f2d90f5c90ba421c96700249027a64

SHA1
826e331f623ac31cb6d8c470b2b4b64417a69fec

SHA256
83957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c

SHA512
8fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400c7eb36c3fe449a91eaf2f4e1265eb

SHA1
570c0904b2a1c6e362ef79507acda5d38302834f

SHA256
6dd5ccfe9eaadd0283cbcaf37bf99ac7e188d1f1227ce1549a99042dacdcdc66

SHA512
ceab199440a626115571d535602c6fbc70a42fa4e00f9db24d098cf7f955e0e4f3fdf55c98c3894e70d747744bc8f745cd44dc8ff15d87c2e94f24ab478a07d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa7a046192b98a8a95c8cbcb720f44a8

SHA1
fe8b9b22057a3d9dc02a6c501cf90c4d1d6465cc

SHA256
5626440d187e124333667eef9c9525d419d50ccdd6eecb0f1d7aaba309b0945e

SHA512
982e3eee25503da9452f6a6a81764cd537c34e6f4b6e58c0683431911e661e0f7b7d9d7cf0cf322b2df14c2e21dd28680e0fb17e1357b187e528d6411db49c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
70ff8a630edf1371826195cedaaa7b38

SHA1
30e1bdbf977b537ddcc7de4cac2ec8061be75369

SHA256
eb5c2ec1544a7c8465a093a6e6c892359011638bc9975e7c99540e58fb62914c

SHA512
016ebfbd468cb02e0508b970584b01e4fb4642179a0b0888a2ba5bf0c74839000bcd1b27958a79d11f590995355ffb371558388e8313d268ba979229f7ef759f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8063065acbb455d07e68edaaa9e50b68

SHA1
581736a0f7918424e9afc5456305996264c61200

SHA256
6747bb23dda4324093d15e3542479d66d241c00f01d574106a6223a43e07ffc3

SHA512
9e24a3fd8a5a1e77125e17513bfb9b001a37a790e06a107b58b52b01477d95f6c49eb90171dcd37432131af54695cdab1d4d4d36e585a342053b9e746114ce39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\76561199780418869[1].htm

Filesize
34KB

MD5
5b79c645371ea420e8a7ee3ae7b594d2

SHA1
02f4b6ef9b9dfbce2d0700d063ee7fb90a4ee538

SHA256
0d1b083106b0adf00787dd810500625ce215025ef9aa5d3e54a6f96830ab30d7

SHA512
7db313a0ed2bc42ff82321f87489a99858be9feece73a7db9f7c0d5b715c899186d1ae6f1ef348d96a9d1db847825ecb06502a0da62519b45324544514f18755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\76561199780418869[1].htm

Filesize
34KB

MD5
4a950255b3b2550e775903cdf61d355f

SHA1
df9402c091ea0d0c6075ab9691ac8210414f96e3

SHA256
b88a8b7fc7459b2c51662ce0f6f8714c925b5124792674414601187b9ea9953b

SHA512
1dff2f0c8f01d0b2274a45f7d2cc32de3b0ebbda095c301f38fbc7b37e46d6ea7e4b5ea1472a5ab71d803e751c40614714a747b54c448e19f31be8500cc2aa94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB5A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB6D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\BFHDAEHDAK.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\BKFHCGIDBA.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
\ProgramData\JEGDGIIJJE.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/468-546-0x0000000000AB0000-0x0000000000B18000-memory.dmp

Filesize
416KB

Download
memory/1480-518-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-529-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-517-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-519-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-520-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-521-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-524-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1480-526-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1660-497-0x00000000734D0000-0x0000000073BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-528-0x00000000734D0000-0x0000000073BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-530-0x00000000734D0000-0x0000000073BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-496-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1660-495-0x00000000734DE000-0x00000000734DF000-memory.dmp

Filesize
4KB

Download
memory/1780-5-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-1-0x0000000000090000-0x00000000000F8000-memory.dmp

Filesize
416KB

Download
memory/1780-15-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/1780-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/1780-2-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-600-0x0000000001240000-0x0000000001296000-memory.dmp

Filesize
344KB

Download
memory/2296-568-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-570-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-580-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-582-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-579-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-578-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-576-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-574-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2296-572-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2620-622-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2620-624-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2620-620-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2620-626-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2712-13-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-424-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-362-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-231-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-212-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-197-0x00000000204F0000-0x000000002074F000-memory.dmp

Filesize
2.4MB

Download
memory/2712-178-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-159-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-443-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-381-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-4-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2712-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-16-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2916-842-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/3020-867-0x0000000000F80000-0x0000000000FE0000-memory.dmp

Filesize
384KB

Download