vidar | 1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe
Size

5.5MB
MD5

e0dfc852c37571b8468b2d17f573a12f
SHA1

38ec845f203450b7d6a51e9a441ab609b5ff1100
SHA256

1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541
SHA512

783c27474e39e99a4ab153f6d42f2b9808df2ebcd3b4299c0067ed9e21d635ba92505d21b96ccf512ca406a36ae9770ffce85e36842a9dac7a4ae87becdf35af
SSDEEP

98304:Uuc009atEN5lsTu7vAcJnIQEUmM1nGGqJe2OUxulDhTCGiYbFr54L6Bid09VGg5Q:Uuc39a45lr7vR9nEi1nGGqQMuLWnOoLH

Score

10^/10

vidar b699ecb1aa34580fba79282dae821438 defense_evasion discovery evasion execution persistence stealer

Malware Config

Extracted

Family

vidar

Version

8.7

Botnet

b699ecb1aa34580fba79282dae821438

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
b699ecb1aa34580fba79282dae821438
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001700000000558f-22.dat	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
2076	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe
File created	C:\Windows\system32\drivers\etc\hosts	whrbuflqwhah.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RYVSUJUA\ImagePath = "C:\\ProgramData\\trmrjvadsnmf\\whrbuflqwhah.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2832	Miner.exe
3032	Stealer.exe
1104	whrbuflqwhah.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe
940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe
468	services.exe
468	services.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\MRT.exe	whrbuflqwhah.exe
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2440	2832	Miner.exe	53
PID 1104 set thread context of 2964	1104	whrbuflqwhah.exe	81
PID 1104 set thread context of 2592	1104	whrbuflqwhah.exe	82
PID 1104 set thread context of 2956	1104	whrbuflqwhah.exe	83

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2108	sc.exe
1756	sc.exe
2208	sc.exe
2176	sc.exe
2268	sc.exe
2924	sc.exe
1144	sc.exe
2980	sc.exe
3048	sc.exe
832	sc.exe
2836	sc.exe
2728	sc.exe
2096	sc.exe
2064	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	3032	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stealer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 703a3758540ddb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Stealer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	powershell.exe
2832	Miner.exe
1604	powershell.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2832	Miner.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
1104	whrbuflqwhah.exe
2440	dialer.exe
2440	dialer.exe
2076	powershell.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
2440	dialer.exe
1104	whrbuflqwhah.exe
1104	whrbuflqwhah.exe
2440	dialer.exe
2440	dialer.exe
1104	whrbuflqwhah.exe
1104	whrbuflqwhah.exe
2440	dialer.exe
2440	dialer.exe
1104	whrbuflqwhah.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2440	dialer.exe
Token: SeAuditPrivilege	852	svchost.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2964	dialer.exe
Token: SeLockMemoryPrivilege	2956	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2848	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	31
PID 940 wrote to memory of 2848	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	31
PID 940 wrote to memory of 2848	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	31
PID 940 wrote to memory of 2832	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	33
PID 940 wrote to memory of 2832	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	33
PID 940 wrote to memory of 2832	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	33
PID 940 wrote to memory of 3032	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	34
PID 940 wrote to memory of 3032	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	34
PID 940 wrote to memory of 3032	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	34
PID 940 wrote to memory of 3032	940	1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe	34
PID 3032 wrote to memory of 1968	3032	Stealer.exe	37
PID 3032 wrote to memory of 1968	3032	Stealer.exe	37
PID 3032 wrote to memory of 1968	3032	Stealer.exe	37
PID 3032 wrote to memory of 1968	3032	Stealer.exe	37
PID 1060 wrote to memory of 2972	1060	cmd.exe	46
PID 1060 wrote to memory of 2972	1060	cmd.exe	46
PID 1060 wrote to memory of 2972	1060	cmd.exe	46
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2832 wrote to memory of 2440	2832	Miner.exe	53
PID 2440 wrote to memory of 420	2440	dialer.exe	5
PID 2440 wrote to memory of 468	2440	dialer.exe	6
PID 2440 wrote to memory of 476	2440	dialer.exe	7
PID 2440 wrote to memory of 484	2440	dialer.exe	8
PID 2440 wrote to memory of 596	2440	dialer.exe	9
PID 2440 wrote to memory of 672	2440	dialer.exe	10
PID 2440 wrote to memory of 732	2440	dialer.exe	11
PID 2440 wrote to memory of 816	2440	dialer.exe	12
PID 2440 wrote to memory of 852	2440	dialer.exe	13
PID 2440 wrote to memory of 996	2440	dialer.exe	15
PID 2440 wrote to memory of 292	2440	dialer.exe	16
PID 2440 wrote to memory of 284	2440	dialer.exe	17
PID 2440 wrote to memory of 1036	2440	dialer.exe	18
PID 2440 wrote to memory of 1240	2440	dialer.exe	19
PID 2440 wrote to memory of 1332	2440	dialer.exe	20
PID 2440 wrote to memory of 1392	2440	dialer.exe	21
PID 2440 wrote to memory of 848	2440	dialer.exe	23
PID 2440 wrote to memory of 1460	2440	dialer.exe	24
PID 2440 wrote to memory of 1532	2440	dialer.exe	25
PID 2440 wrote to memory of 2324	2440	dialer.exe	26
PID 2440 wrote to memory of 2292	2440	dialer.exe	27
PID 2440 wrote to memory of 1984	2440	dialer.exe	28
PID 2440 wrote to memory of 2832	2440	dialer.exe	33
PID 2440 wrote to memory of 2808	2440	dialer.exe	36
PID 2440 wrote to memory of 3048	2440	dialer.exe	54
PID 2440 wrote to memory of 3040	2440	dialer.exe	55
PID 2440 wrote to memory of 832	2440	dialer.exe	56
PID 2440 wrote to memory of 1124	2440	dialer.exe	57
PID 2440 wrote to memory of 1756	2440	dialer.exe	58
PID 2440 wrote to memory of 2268	2440	dialer.exe	59
PID 2440 wrote to memory of 1988	2440	dialer.exe	60
PID 2440 wrote to memory of 2488	2440	dialer.exe	61
PID 2440 wrote to memory of 320	2440	dialer.exe	62
PID 1988 wrote to memory of 1652	1988	cmd.exe	64
PID 1988 wrote to memory of 1652	1988	cmd.exe	64
PID 1988 wrote to memory of 1652	1988	cmd.exe	64
PID 2440 wrote to memory of 1652	2440	dialer.exe	64
PID 2440 wrote to memory of 1652	2440	dialer.exe	64
PID 468 wrote to memory of 1104	468	services.exe	65
PID 468 wrote to memory of 1104	468	services.exe	65

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1460
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1532
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2808
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:832
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:732
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1332
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:292
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1240
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2324
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2292
- C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1904
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2924
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2108
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2728
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2592
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2956

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe
  "C:\Users\Admin\AppData\Local\Temp\1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAZQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AZQB4ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Users\Admin\AppData\Roaming\Miner.exe
    "C:\Users\Admin\AppData\Roaming\Miner.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2972
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1144
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2980
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2176
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2096
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2064
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:3048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:832
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1756
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1652
- - C:\Users\Admin\AppData\Local\Temp\Stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1436
      4⤵
      Loads dropped DLL
      Program crash
      PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-780188411-2053602701-1329145519-163323047515613597881108536066-15500259551809927074"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "166157035120823127321137749611206403214-561228375-2103622562-64214863-474104448"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1440747364426560902-5488004128257961671883885347997462160-1124232573-1916376042"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1012673534-87853427131808200467992410165980439720346168215459730001525061136"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2141884065459387492157079018-20750117172045415758-644076974917982501-1127781154"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2085223864-1374955838-1652974123-1116262077-1767695058-544797243-202657379-1567346614"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11230892811616897765-639382797-163913236027915801934583571-1914638701956326305"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "616403830-264876184933470441-1713552869783267126291584506-777952994-258630891"
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF5E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealer.exe

Filesize
203KB

MD5
46a4e1cd3bae840958c82a7765ca3bb1

SHA1
f5239f36d37167b0d247e044e9e3c7cd88962a34

SHA256
aca8c3a961abb7db28d372d9e1d00f05784cf97e4b7d2e56b099a7eba1cbe4ee

SHA512
6818c1313db70e2b03f77a65f77878c4246dcc16f7a077390792a5f5ac3df12a078d7da0d7f2492bcf7bb68ca2ed7dff7dfdef5ebd88e41dc646016491b5afd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF665.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2ab4e2396578d6c6d816aab10396f481

SHA1
b6e24a54c15494e5e12a92de58de9b50343d3055

SHA256
fe9783ddadb7e192330fd6cacd8d982c2521cd19b2f436365ae118c044a3281a

SHA512
a732a3d424779cf55761cf5c8504e640ac3d0f7f8cc905888a99398ec1192ead984d392cfd0a87c80377e0151b84f1f0f4eaaacea05be3ac4fd85fd40eaf3ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
5.3MB

MD5
99201be105bf0a4b25d9c5113da723fb

SHA1
443e6e285063f67cb46676b3951733592d569a7c

SHA256
e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2

SHA512
b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
540138285295c68de32a419b7d9de687

SHA1
1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

SHA256
33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

SHA512
7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
831dbe568992299e589143ee8898e131

SHA1
737726173aab8b76fe1f98104d72bb91abd273bf

SHA256
4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405

SHA512
39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
cf82e7354e591c1408eb2cc0e29dd274

SHA1
7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9

SHA256
59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d

SHA512
98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
1c678ee06bd02b5d9e4d51c3a4ec2d2b

SHA1
90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

SHA256
2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

SHA512
ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
715KB

MD5
340af83514a525c50ffbbf8475ed62b7

SHA1
e2f382ae75afe7df8a323320bbb2aafa1ff6e407

SHA256
fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417

SHA512
8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
715KB

MD5
718bb9564980029a2e3341093a4bb082

SHA1
8953d96e47b65c2c70f2bcc3d9e2e7c55d41ee61

SHA256
ad7b5314ef00ce846ae2c91a32dd1c1f2b4905cf182005e251ad6d4af66cc977

SHA512
3f22961d108271dc098ae2c75d217991da38c18a587b44abd74da853ea26d171ca1a507c3200f3b7c2a8175bfff5a8b968a551a4804082064dc6f2ef98b5432d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
710KB

MD5
66fd0e1999023d23c9f8e3cd7a92af77

SHA1
e0e61df319ddbc7c9d425612295f825c47888658

SHA256
bdbadcf6f408c6d223974d52a69413aebe1d50ac7eaeacefa2beb2f7321355d0

SHA512
b8924cdf53eb5589820a16890fa7abdca20dfc3ca44063d3fdaef484f506419dbf9cd660bc80e8dfe7b7eba7d9db8fe0046accc1fca8d3faf70dedfa1ee0e68f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
24da30cbb5f0fe4939862880e72cc32c

SHA1
9132497736f52dae62b79be1677c05e32a7ba2ab

SHA256
a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f

SHA512
332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
710d55f3d3ca732fc39af6ffc68981ed

SHA1
f5795ab6843bf05d8b845b854a7fcf566a8a6b41

SHA256
651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306

SHA512
1b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54

Download Submit
memory/420-84-0x00000000007A0000-0x00000000007C4000-memory.dmp

Filesize
144KB

Download
memory/420-89-0x0000000037000000-0x0000000037010000-memory.dmp

Filesize
64KB

Download
memory/420-86-0x00000000007A0000-0x00000000007C4000-memory.dmp

Filesize
144KB

Download
memory/420-87-0x0000000000860000-0x000000000088B000-memory.dmp

Filesize
172KB

Download
memory/420-88-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/468-101-0x0000000037000000-0x0000000037010000-memory.dmp

Filesize
64KB

Download
memory/468-100-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/468-94-0x00000000000B0000-0x00000000000DB000-memory.dmp

Filesize
172KB

Download
memory/476-104-0x0000000037000000-0x0000000037010000-memory.dmp

Filesize
64KB

Download
memory/476-103-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/476-98-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/940-1-0x00000000010B0000-0x000000000162C000-memory.dmp

Filesize
5.5MB

Download
memory/940-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/940-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/940-23-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-71-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/1604-70-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2076-361-0x0000000019D30000-0x000000001A012000-memory.dmp

Filesize
2.9MB

Download
memory/2440-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-80-0x0000000076DA0000-0x0000000076EBF000-memory.dmp

Filesize
1.1MB

Download
memory/2440-73-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-74-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-79-0x0000000076FC0000-0x0000000077169000-memory.dmp

Filesize
1.7MB

Download
memory/2440-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-81-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-75-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2848-24-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2848-25-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2848-9-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download