vidar | 017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-03-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
Size

5.5MB
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000b000000014319-12.dat	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	whrbuflqwhah.exe
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
1236	Payload.exe
2248	build.exe
2668	Miner.exe
2736	Shortcutter.exe
3004	whrbuflqwhah.exe

Loads dropped DLL 6 IoCs

pid	Process
1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
1236	Payload.exe
1236	Payload.exe
1236	Payload.exe
480	services.exe
480	services.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	whrbuflqwhah.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1736	2668	Miner.exe	54
PID 3004 set thread context of 1280	3004	whrbuflqwhah.exe	82
PID 3004 set thread context of 1984	3004	whrbuflqwhah.exe	83
PID 3004 set thread context of 1936	3004	whrbuflqwhah.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\build.exe	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1688	sc.exe
276	sc.exe
2356	sc.exe
2660	sc.exe
300	sc.exe
300	sc.exe
2616	sc.exe
1360	sc.exe
1696	sc.exe
612	sc.exe
2696	sc.exe
2056	sc.exe
1396	sc.exe
2824	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	2248	WerFault.exe	31

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a04ab0986e7cda01	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	powershell.exe
1708	powershell.exe
2668	Miner.exe
1388	powershell.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
1736	dialer.exe
1736	dialer.exe
1736	dialer.exe
1736	dialer.exe
2668	Miner.exe
2668	Miner.exe
2668	Miner.exe
3004	whrbuflqwhah.exe
1052	powershell.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
3004	whrbuflqwhah.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
3004	whrbuflqwhah.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe
1280	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2736	Shortcutter.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1736	dialer.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1280	dialer.exe
Token: SeLockMemoryPrivilege	1936	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1708	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	28
PID 1924 wrote to memory of 1708	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	28
PID 1924 wrote to memory of 1708	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	28
PID 1924 wrote to memory of 1708	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	28
PID 1924 wrote to memory of 1236	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	30
PID 1924 wrote to memory of 1236	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	30
PID 1924 wrote to memory of 1236	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	30
PID 1924 wrote to memory of 1236	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	30
PID 1924 wrote to memory of 2248	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	31
PID 1924 wrote to memory of 2248	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	31
PID 1924 wrote to memory of 2248	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	31
PID 1924 wrote to memory of 2248	1924	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	31
PID 1236 wrote to memory of 2624	1236	Payload.exe	32
PID 1236 wrote to memory of 2624	1236	Payload.exe	32
PID 1236 wrote to memory of 2624	1236	Payload.exe	32
PID 1236 wrote to memory of 2624	1236	Payload.exe	32
PID 1236 wrote to memory of 2668	1236	Payload.exe	34
PID 1236 wrote to memory of 2668	1236	Payload.exe	34
PID 1236 wrote to memory of 2668	1236	Payload.exe	34
PID 1236 wrote to memory of 2668	1236	Payload.exe	34
PID 1236 wrote to memory of 2736	1236	Payload.exe	35
PID 1236 wrote to memory of 2736	1236	Payload.exe	35
PID 1236 wrote to memory of 2736	1236	Payload.exe	35
PID 1236 wrote to memory of 2736	1236	Payload.exe	35
PID 2248 wrote to memory of 3020	2248	build.exe	38
PID 2248 wrote to memory of 3020	2248	build.exe	38
PID 2248 wrote to memory of 3020	2248	build.exe	38
PID 2248 wrote to memory of 3020	2248	build.exe	38
PID 852 wrote to memory of 1436	852	cmd.exe	45
PID 852 wrote to memory of 1436	852	cmd.exe	45
PID 852 wrote to memory of 1436	852	cmd.exe	45
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 2668 wrote to memory of 1736	2668	Miner.exe	54
PID 1736 wrote to memory of 436	1736	dialer.exe	5
PID 1736 wrote to memory of 480	1736	dialer.exe	6
PID 1736 wrote to memory of 492	1736	dialer.exe	7
PID 1736 wrote to memory of 500	1736	dialer.exe	8
PID 2456 wrote to memory of 1876	2456	cmd.exe	65
PID 2456 wrote to memory of 1876	2456	cmd.exe	65
PID 2456 wrote to memory of 1876	2456	cmd.exe	65
PID 480 wrote to memory of 3004	480	services.exe	66
PID 480 wrote to memory of 3004	480	services.exe	66
PID 480 wrote to memory of 3004	480	services.exe	66
PID 1736 wrote to memory of 600	1736	dialer.exe	9
PID 1736 wrote to memory of 3004	1736	dialer.exe	66
PID 1736 wrote to memory of 680	1736	dialer.exe	10
PID 1736 wrote to memory of 752	1736	dialer.exe	11
PID 1736 wrote to memory of 816	1736	dialer.exe	12
PID 1736 wrote to memory of 856	1736	dialer.exe	13
PID 1736 wrote to memory of 964	1736	dialer.exe	15
PID 1736 wrote to memory of 108	1736	dialer.exe	16
PID 1736 wrote to memory of 332	1736	dialer.exe	17
PID 1736 wrote to memory of 1068	1736	dialer.exe	18
PID 1736 wrote to memory of 1112	1736	dialer.exe	19
PID 1736 wrote to memory of 1176	1736	dialer.exe	20
PID 1736 wrote to memory of 1284	1736	dialer.exe	21
PID 1736 wrote to memory of 2224	1736	dialer.exe	23
PID 1240 wrote to memory of 1516	1240	cmd.exe	73
PID 1240 wrote to memory of 1516	1240	cmd.exe	73

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:2224
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:908
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2060
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Drops file in System32 directory
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:2708
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:332
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1068
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:3048
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2144
- C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1360
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1396
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1984
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcwB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQBsACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\Miner.exe
      "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:1436
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:612
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:300
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1688
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:276
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1696
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:2056
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2696
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2616
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:2660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1876
  - - C:\Users\Admin\AppData\Roaming\Shortcutter.exe
      "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\build.exe
    "C:\Windows\build.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1468
      4⤵
      Program crash
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
2.6MB

MD5
d529f7ff12da092226af78e409621acb

SHA1
0b6bdbd86a3ff2d9f2af152a26f95e05f07ef2c8

SHA256
fce4139d84d30095c0e8fa0c6493270bccb8880806b317c38f0db53928a7558f

SHA512
9e0f66450dbdb071006769c9b0509800895431edc8af9228938b882b7e45b45cea841bf9bdfab0300a8035930d7e56e71029e6adfeb034c1b6d35a8595bc320e

Download Submit
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
3.0MB

MD5
3ae5b56cb19bc32ad89e9d126052cb92

SHA1
ee7f0816ef6e47220a5195a0f1b04f5e6edecdd9

SHA256
ca06605c0077e801e915f8b379d6a5c398e2205444c7f26915ee188e560e001f

SHA512
23630b0a4d35421e17bf5cb1454d7fea0cabe19c8ec4d353ff1a8f6f3315b1ffed6ef47e1290b429f61422848f7f34357d66d16ab7e40407972af92500b92b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9fec92b14e975ec3076ea3f62561207

SHA1
9608cac226d3390eb54a2ade4f6b16ed46afcd8b

SHA256
3d8b8644a0ecb43f61d48f11b5065c67684d752e258639be98785079b9cf83f0

SHA512
81f3ab0ca202b3c1efb8a1e25d8b5decffb404c6ffce38ded79082b6dc7fa4d8186eaa6edba343dce632be9ea4bf649ef69d4fc428afbb8bdedcdc118492519f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CD2.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6c7f34489d9cc2764f60c50b6a71f443

SHA1
14ac14da9d2b725ea38133b26c43bdd0b6c93ab0

SHA256
d43d4c1c98cfe28f6e9102d04707765a162dbb075c19b2bfe2ed1b966f11d56e

SHA512
7c3fc7c443845371ad967658161e599ac8c33e99e268400a6edb227515767744939bc2cb84a9116295dbefb15e4f53fa69349ea31432dae0a0464e34dc1fff87

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.5MB

MD5
0cdbe338f69dc81654dd04969529ca0a

SHA1
c5270552bb0b7c9e48474016aad16fa6076eec62

SHA256
10952b20d910ac24de289ad6d87d3dfadaf50935dac4812453d8b9f4a1756bcd

SHA512
41a20abe8ced0e15fced1a5fb650d12af57736a5e2ce5e22d7029e24a20653b22d4035700e4e5feceb056d4be66c59ab19bc3abe3a31190e7a534f023f4281cc

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
64KB

MD5
65a1db0775e09e36857f260e4c38d8e7

SHA1
df9a90c72d07f270e939e788793a3cc0297b1579

SHA256
ce9a23fd46e8e6ca4d1a9d015e2f93f49917613125f0c3b64420414b7bf22646

SHA512
b809c41936aa02c624f63e910001fb72a03a12c97fe336a5233dfb2be52178593c39b02629a9a6899d7560d169e8027f6f8f26a7e71b7394fd6a0d0cb0037308

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.3MB

MD5
ac317beecde75796535637568527a5df

SHA1
71051422dd7a8fcb1c177b544e7b1c7d877e06c6

SHA256
437df928a4466198b8d09b6a1bcf3f650a6460d1342c8ce1d1c2dbf4d8e079a9

SHA512
8d775a94f0188638d2a9ada0b586ec206840483e5e3718a871e34bbe5bb468dab9cefcd499966ae7ad5ae2c1c340c101e07fb2c181ce6920a8c384bc06dd6a73

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
4.8MB

MD5
a094edfe4bba779ec510bfbd719e6828

SHA1
c674b05fde1222ff51834ca2f1a5bfa81c97961c

SHA256
5be650dc2297ab067eba9fe76539cfac87dddc406b20ef9b7e7c58daac385a2c

SHA512
dc6e0d4393cd2d4d6c8ac23a3bfacb8b8f59dea33f5fbcbaa4af0eb64a94236e6956ef9f9dc5b8a040d3a2e5a6750d07f70ede4fa3f864e61b22dd4ee4687535

Download Submit
C:\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
C:\Windows\build.exe

Filesize
188KB

MD5
ffe5ff4a06e3a7696484bbce8f3ade91

SHA1
af919d9b6b7abef80fb5c85498ffc5ec0c0ae394

SHA256
b256448e3219b2b7033b4c214c78b02db0d4e000f943fc98dffede3d8a6a7cf3

SHA512
bfeb89c2b5e7420d48879d010cfe2f4d587f1d43612fd3ab489988092d11dfd4796a306c5a4b8a6be8b78ebde2e0561bae3ee5e1d4a827aa43db8e13d55cc9a4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
710d55f3d3ca732fc39af6ffc68981ed

SHA1
f5795ab6843bf05d8b845b854a7fcf566a8a6b41

SHA256
651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306

SHA512
1b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54

Download Submit
\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
3.4MB

MD5
2f3ec4f9298b428a81bd2831b4ebb94f

SHA1
f690c634efacda87e25b3cad1ebc3372721e5d46

SHA256
a8f2eac77fc10d3460b51f40100a1cef0465a6ec8cccc77b3ac4a613a6ecdd1b

SHA512
b64ed4e9a6a023e1dd0ce6999001b9a15b731f224ab67264e464abb283d59531b7b265af0d59792c0561066faf6343cb034ffa2c7885b3604e68e295901d1dc0

Download Submit
\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
2.6MB

MD5
e96435a0aab6f35c06570df1dd35374e

SHA1
77d76b1f9a8b4f48c005bf871b5fa985f9d750dc

SHA256
e6e8db6f827cb5f6ede128276f679f12ab5d6efd95cb1e5db06c2beaac49973a

SHA512
5335939141a7f7c9e104d0afa50def8ac1da32b65f0c0a9b1303c35aebf7a0c5d764cabc020ff5b1fa760ad36476d1a23bfe543b798a1b120777bcfd450b83c4

Download Submit
\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.2MB

MD5
6387a2ff3f72421d0862e1b7c0acb6f4

SHA1
1740b1418c41440a5ab87d076e7a7ebc1c750d28

SHA256
2144809cac8ee1d613e5796eb831a41299c527904bc71b65b36e3b4ed8757b7f

SHA512
84ea906187a97b366de6cf080b05230fbe761fa437987e8254d06a82a23dd559f3bec24e794dfc0516cac31f7e044936e60c74ee4ab580c07ab6ef2dce81ed9b

Download Submit
\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.3MB

MD5
85c966fb48097ec8bdaf53f20377f1ae

SHA1
084e91879365b060bcba6bcd1508ef473c389005

SHA256
2d34e3e472a3f7d35fe94328f9793cb1f3a78fee9829aeddcb3d08f5451367ba

SHA512
38cdb5fff07dfc93ab1554555a55cc1aefd4dd63e901ff94841d1f8b0199160d127523b4057de5cd41c55075f7ebedb13fb8c289a6baa475df6e7df4f492fb40

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe

Filesize
4.5MB

MD5
ff8ca8a8ff88e5aa467d96cef9ca82fa

SHA1
e97ab0eb45d7a93eadb798e50c881459d0a85387

SHA256
7c8bd567579e15a6e03fbcde5668ea80e1cf56a13b6f636bfd7d90d072b467de

SHA512
18775d008beb71cd15de86b4134a57e24fa01bdb0b27a0c89239f8ab83316f9607cda6d0fc0d868bd83f9136427d18d1a467150899354474a330c636a8a71119

Download Submit
memory/108-302-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

Filesize
172KB

Download
memory/108-303-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/332-316-0x0000000002000000-0x000000000202B000-memory.dmp

Filesize
172KB

Download
memory/332-323-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/436-201-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/436-199-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/436-200-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/436-197-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/436-207-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/436-202-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/436-210-0x0000000077651000-0x0000000077652000-memory.dmp

Filesize
4KB

Download
memory/480-221-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/480-215-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/480-209-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/480-213-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/492-217-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/492-222-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/492-237-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/492-225-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/500-223-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/500-241-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/500-226-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/500-231-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/600-242-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/600-247-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/600-319-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/600-244-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/600-238-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/680-253-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/680-251-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/680-254-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/680-329-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/752-264-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/752-274-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/752-341-0x0000000000D70000-0x0000000000D9B000-memory.dmp

Filesize
172KB

Download
memory/752-258-0x0000000000D70000-0x0000000000D9B000-memory.dmp

Filesize
172KB

Download
memory/816-270-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/816-354-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/816-290-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/856-265-0x0000000000DC0000-0x0000000000DEB000-memory.dmp

Filesize
172KB

Download
memory/856-268-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/856-347-0x0000000000DC0000-0x0000000000DEB000-memory.dmp

Filesize
172KB

Download
memory/964-288-0x0000000000EC0000-0x0000000000EEB000-memory.dmp

Filesize
172KB

Download
memory/964-300-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/1052-275-0x000000001A090000-0x000000001A372000-memory.dmp

Filesize
2.9MB

Download
memory/1052-297-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/1052-283-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-282-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/1052-286-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/1052-335-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-294-0x000007FEEC880000-0x000007FEED21D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-279-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/1052-325-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/1068-313-0x0000000000B70000-0x0000000000B9B000-memory.dmp

Filesize
172KB

Download
memory/1112-327-0x0000000002220000-0x000000000224B000-memory.dmp

Filesize
172KB

Download
memory/1112-331-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/1176-334-0x0000000002170000-0x000000000219B000-memory.dmp

Filesize
172KB

Download
memory/1284-344-0x0000000004180000-0x00000000041AB000-memory.dmp

Filesize
172KB

Download
memory/1284-350-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/1388-183-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/1388-180-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1388-177-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/1388-181-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1388-182-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1388-179-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/1388-178-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1388-176-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/1388-175-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1708-35-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-37-0x0000000002D90000-0x0000000002DD0000-memory.dmp

Filesize
256KB

Download
memory/1708-39-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-42-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-191-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/1736-309-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/1736-187-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1736-192-0x00000000774E0000-0x00000000775FF000-memory.dmp

Filesize
1.1MB

Download
memory/1736-194-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1736-188-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1736-186-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1736-185-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1736-190-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2224-356-0x0000000037640000-0x0000000037650000-memory.dmp

Filesize
64KB

Download
memory/2224-352-0x00000000037A0000-0x00000000037CB000-memory.dmp

Filesize
172KB

Download
memory/2624-36-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-38-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-43-0x0000000073640000-0x0000000073BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-193-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-41-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2736-40-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-205-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2736-34-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/3004-248-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download