neshta | a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8

Analysis

max time kernel
134s
max time network
125s
platform
windows10_x64
resource
win10-en-20210920
submitted
08-10-2021 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
Size

506KB
MD5

7d22685ef9d80598a24d2f096e527da9
SHA1

458b1d290faa64ebbe4c5989229bacc060bd8713
SHA256

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8
SHA512

ca691bfae066e4dc2298e803f23055e999c405b170165f3c4658b232ce0a820e356347cfe164dc046a763842a2d42d4d3a241792d88f3754b5b3ddf484f976f3

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4056-130-0x00000000004080E4-mapping.dmp	family_neshta
behavioral1/memory/4056-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/4056-144-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1516-152-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/3300-173-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 14 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exea3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exea3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exesvchost.comA3D591~1.EXEA3D591~1.EXEA3D591~1.EXEA3D591~1.EXEsvchost.comA3D591~1.EXEA3D591~1.EXEA3D591~1.EXEsvchost.comA3D591~1.EXE

pid	process
500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
1968	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
4056	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
3564	svchost.com
708	A3D591~1.EXE
2436	A3D591~1.EXE
1492	A3D591~1.EXE
1516	A3D591~1.EXE
1708	svchost.com
2004	A3D591~1.EXE
2424	A3D591~1.EXE
3300	A3D591~1.EXE
368	svchost.com
1468	A3D591~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exeA3D591~1.EXEA3D591~1.EXE

description	pid	process	target process
PID 500 set thread context of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 708 set thread context of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 2004 set thread context of 3300	2004	A3D591~1.EXE	A3D591~1.EXE

Drops file in Program Files directory 53 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe

Drops file in Windows directory 12 IoCs

Processes:

svchost.coma3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exeA3D591~1.EXEsvchost.comA3D591~1.EXEa3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\Windows\svchost.com	A3D591~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	A3D591~1.EXE
File opened for modification	C:\Windows\svchost.com	A3D591~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	A3D591~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exea3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exeA3D591~1.EXEA3D591~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	A3D591~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	A3D591~1.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exeA3D591~1.EXEA3D591~1.EXE

pid	process
500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
708	A3D591~1.EXE
708	A3D591~1.EXE
708	A3D591~1.EXE
708	A3D591~1.EXE
2004	A3D591~1.EXE
2004	A3D591~1.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exeA3D591~1.EXEA3D591~1.EXE

description	pid	process
Token: SeDebugPrivilege	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
Token: SeDebugPrivilege	708	A3D591~1.EXE
Token: SeDebugPrivilege	2004	A3D591~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2344 wrote to memory of 500	2344	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 2344 wrote to memory of 500	2344	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 2344 wrote to memory of 500	2344	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 1968	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 1968	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 1968	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 500 wrote to memory of 4056	500	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
PID 4056 wrote to memory of 3564	4056	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	svchost.com
PID 4056 wrote to memory of 3564	4056	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	svchost.com
PID 4056 wrote to memory of 3564	4056	a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe	svchost.com
PID 3564 wrote to memory of 708	3564	svchost.com	A3D591~1.EXE
PID 3564 wrote to memory of 708	3564	svchost.com	A3D591~1.EXE
PID 3564 wrote to memory of 708	3564	svchost.com	A3D591~1.EXE
PID 708 wrote to memory of 2436	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 2436	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 2436	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1492	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1492	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1492	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 708 wrote to memory of 1516	708	A3D591~1.EXE	A3D591~1.EXE
PID 1516 wrote to memory of 1708	1516	A3D591~1.EXE	svchost.com
PID 1516 wrote to memory of 1708	1516	A3D591~1.EXE	svchost.com
PID 1516 wrote to memory of 1708	1516	A3D591~1.EXE	svchost.com
PID 1708 wrote to memory of 2004	1708	svchost.com	A3D591~1.EXE
PID 1708 wrote to memory of 2004	1708	svchost.com	A3D591~1.EXE
PID 1708 wrote to memory of 2004	1708	svchost.com	A3D591~1.EXE
PID 2004 wrote to memory of 2424	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 2424	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 2424	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 2004 wrote to memory of 3300	2004	A3D591~1.EXE	A3D591~1.EXE
PID 3300 wrote to memory of 368	3300	A3D591~1.EXE	svchost.com
PID 3300 wrote to memory of 368	3300	A3D591~1.EXE	svchost.com
PID 3300 wrote to memory of 368	3300	A3D591~1.EXE	svchost.com
PID 368 wrote to memory of 1468	368	svchost.com	A3D591~1.EXE

C:\Users\Admin\AppData\Local\Temp\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
"C:\Users\Admin\AppData\Local\Temp\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe"
3⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
6⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
6⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
9⤵
- Executes dropped EXE
PID:2424

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
11⤵
- Executes dropped EXE
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A3D591~1.EXE.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\A3D591~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
5b39501d25dd8b282a17b2f43ac7cf2a

SHA1
a5fec123646cba41de0d17b153b4c0b47c498a7a

SHA256
c615a02211728377d4ece9300a93dc9f779758533e96e47365193a994b24f28a

SHA512
4b99813fcf3f99e042e11f2a7ed23674829f316699840b60d0dd6cc2da7ffbb77c8a48c0b600d09869c47839912bbb0174a93382d7685205876c85bf3f6e89c3

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
5f9c25ca1be65abf6b65822925803037

SHA1
e2a4fad40b08faaa361cbbca31c6db5e675cc3c1

SHA256
206e0cb140a335dfe90eb368d416dc0e15f56aa09da5728c0c724e38d30dd2c7

SHA512
06f80de298ba99c0d1595d013370e9dbddd53c0997e81833bd795975cc603fe26f5dcb07cb7ae6af049e5d9a3b45aaf8877d05942c0414e2ebac316c2a5f61f3

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/368-175-0x0000000000000000-mapping.dmp

Download
memory/500-127-0x0000000008F50000-0x0000000008F87000-memory.dmp

Filesize
220KB

Download
memory/500-123-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/500-118-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/500-120-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/500-121-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/500-122-0x0000000005310000-0x000000000580E000-memory.dmp

Filesize
5.0MB

Download
memory/500-124-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/500-125-0x0000000005600000-0x0000000005606000-memory.dmp

Filesize
24KB

Download
memory/500-126-0x0000000008EE0000-0x0000000008F47000-memory.dmp

Filesize
412KB

Download
memory/500-115-0x0000000000000000-mapping.dmp

Download
memory/708-146-0x0000000005630000-0x0000000005B2E000-memory.dmp

Filesize
5.0MB

Download
memory/708-136-0x0000000000000000-mapping.dmp

Download
memory/1468-185-0x0000000005530000-0x0000000005A2E000-memory.dmp

Filesize
5.0MB

Download
memory/1468-179-0x0000000000000000-mapping.dmp

Download
memory/1516-152-0x00000000004080E4-mapping.dmp

Download
memory/1708-154-0x0000000000000000-mapping.dmp

Download
memory/2004-158-0x0000000000000000-mapping.dmp

Download
memory/2004-166-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3300-173-0x00000000004080E4-mapping.dmp

Download
memory/3564-132-0x0000000000000000-mapping.dmp

Download
memory/4056-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4056-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4056-130-0x00000000004080E4-mapping.dmp

Download