neshta | aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-12-2021 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
Size

6.9MB
MD5

120e6c560c8582338b97bc1112703588
SHA1

4017ad3a595577f006273315a927764d6bf53941
SHA256

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44
SHA512

92c7f20c9b9b4ab36a5bd189aa7dcf76d38b5c13b40be2c65b5fa7f865a0c7bfd196cc8f7437f0c7a36e135c74f42381e2572a9d4804e7b6cec1541fdc05929d

Score

10^/10

neshta xmrig miner persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 30 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\xmrig.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\xmrig.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\xmrig.exe	xmrig

Executes dropped EXE 6 IoCs

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comsvchost.comstart.exexmrig.exexmrig.exe

pid	process
3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
3424	svchost.com
3172	svchost.com
1376	start.exe
3292	xmrig.exe
3500	xmrig.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeOpenWith.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616

pid	process
616

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xmrig.exexmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	3292	xmrig.exe
Token: SeLockMemoryPrivilege	3500	xmrig.exe
Token: SeLockMemoryPrivilege	3500	xmrig.exe
Token: SeLockMemoryPrivilege	3292	xmrig.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

1200 OpenWith.exe
4000 OpenWith.exe

pid	process
1200	OpenWith.exe
4000	OpenWith.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comstart.exesvchost.comcmd.exe

description	pid	process	target process
PID 2416 wrote to memory of 3036	2416	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
PID 2416 wrote to memory of 3036	2416	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
PID 2416 wrote to memory of 3036	2416	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
PID 3036 wrote to memory of 3424	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3036 wrote to memory of 3424	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3036 wrote to memory of 3424	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3036 wrote to memory of 3172	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3036 wrote to memory of 3172	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3036 wrote to memory of 3172	3036	aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe	svchost.com
PID 3172 wrote to memory of 1376	3172	svchost.com	start.exe
PID 3172 wrote to memory of 1376	3172	svchost.com	start.exe
PID 3172 wrote to memory of 1376	3172	svchost.com	start.exe
PID 1376 wrote to memory of 1916	1376	start.exe	cmd.exe
PID 1376 wrote to memory of 1916	1376	start.exe	cmd.exe
PID 1376 wrote to memory of 1916	1376	start.exe	cmd.exe
PID 3424 wrote to memory of 3292	3424	svchost.com	xmrig.exe
PID 3424 wrote to memory of 3292	3424	svchost.com	xmrig.exe
PID 1916 wrote to memory of 3500	1916	cmd.exe	xmrig.exe
PID 1916 wrote to memory of 3500	1916	cmd.exe	xmrig.exe

C:\Users\Admin\AppData\Local\Temp\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
"C:\Users\Admin\AppData\Local\Temp\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\xmrig.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\xmrig.exe
C:\Users\Admin\AppData\Local\Temp\xmrig.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\start.exe
C:\Users\Admin\AppData\Local\Temp\start.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\xmrig.exe
xmrig.exe -o stratum+tcp://pool.supportxmr.com:5555 -u 49XvnNUfaH7Mr4rjpNrvLXJS8deqg1rBzPGnvuWrPnDmPRJ2w9HjvaN3sJyTYGKXzR9GYYMLZaaLhBzGEA7kKGtAFBkMYCK.rig1 -p x --donate-level 1
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe
MD5
8db8df5afb216d89fcb0bdf24662c9b5

SHA1
f0819d096526f02b0f7c50b56cebd7c521600897

SHA256
bc9c19ede72076a2c8cc18a4b2305cabc999244fb92d471c87036bb796d3f89f

SHA512
dc63a71b6b04e89ecf744bf890c74caa11cb3525aeccaede6dafa72fa3eebd40b8d352651d0bc8b1deb0768a38e5c2660200cac84eec48ddab01beaa8c9c0bea

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
MD5
d90510a290c2987a2613df8eba3264cf

SHA1
226b619ccd33c2a186aef6cbb759b2d4cf16fff5

SHA256
49577d0c54d9f941d25346dd964f309da452b62bfb09282cabc2fbcb169fdf5d

SHA512
e0554a501009dd67bd1dbd586ad66a90ad2d75aa67782fc5fbb783aeaed7ef8e525e70bd96a6eb8a1f9008f541e2f281061d30b7886aae771f226c5b882d8247

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
MD5
2d3cc5612a414f556f925a3c1cb6a1d6

SHA1
0fee45317280ed326e941cc2d0df848c4e74e894

SHA256
fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

SHA512
cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
MD5
6e84b6096aaa18cabc30f1122d5af449

SHA1
e6729edd11b52055b5e34d39e5f3b8f071bbac4f

SHA256
c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759

SHA512
af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE
MD5
346d2ff654d6257364a7c32b1ec53c09

SHA1
224301c0f56a870f20383c45801ec16d01dc48d1

SHA256
a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255

SHA512
223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
MD5
acecd9d2b3e52cb1b16d9287d0fda2af

SHA1
93063fcb0c0ef1f52ce55cd60f7e25a830ce6c3d

SHA256
0bb19116093aa69518b4d9ec3b064c772550ced132390b4fd67a5d1b98c3cd5b

SHA512
ab06e996aed4843a0c3e6cf5830c48596e21fa335e32cc7d6a23cc0d4098819c989ec9325bae445427e0ffd3a3894c06ea18808a15a32461cb733146fbd04750

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
MD5
acecd9d2b3e52cb1b16d9287d0fda2af

SHA1
93063fcb0c0ef1f52ce55cd60f7e25a830ce6c3d

SHA256
0bb19116093aa69518b4d9ec3b064c772550ced132390b4fd67a5d1b98c3cd5b

SHA512
ab06e996aed4843a0c3e6cf5830c48596e21fa335e32cc7d6a23cc0d4098819c989ec9325bae445427e0ffd3a3894c06ea18808a15a32461cb733146fbd04750

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.json
MD5
b4d5d77ee16ef922f44bab22041054b9

SHA1
4aca769d38ad4f0a5065ccc70eccc6a49470b299

SHA256
11cd5885c3d8096f2a56ed5217b2066aac83d8b7891aa916d96e039be19055e5

SHA512
6518890461d6201fe35529fa1d57ef7567f2cdcf34dc8af136eca2788dec48f2e2e32a8269653bac9179927256f6fd561e9a4453d4488e5e8d9bae796d9df110

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd
MD5
a6a75a12bf9fa181528834edb6c89cc1

SHA1
f45b174f2b7b5b68335ea182b5a296ad9df9bb0a

SHA256
fc00a6fbfc72dc81e6f530f7c64648162e7f3a6205b85f6dd754f05ab6e44987

SHA512
f6ff874f95da84edc94d37ef0ffbc9d46ac8f8d85a72f58dfbd738187b5e35f7cb64ef43e34a8b257348bcd382f8544f7de867561d2a7245db80511356c5d374

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
MD5
f28e459f5f13edd8ebfdbc2edaa44856

SHA1
05e33691400af1c43194afeb2d2583c5c24ca778

SHA256
c84455888da154185d14360f3f2e46e13120fae507dff69d5b556a29391b9e00

SHA512
4d15bfe4a965f72d8c2f5a16362c94a7186afc0070c8020e5e340641eab6ca038e8034cd7dc2c9c5911423c16968352ebcd2e3b1ac16ae35e3be5d7866231ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
MD5
f28e459f5f13edd8ebfdbc2edaa44856

SHA1
05e33691400af1c43194afeb2d2583c5c24ca778

SHA256
c84455888da154185d14360f3f2e46e13120fae507dff69d5b556a29391b9e00

SHA512
4d15bfe4a965f72d8c2f5a16362c94a7186afc0070c8020e5e340641eab6ca038e8034cd7dc2c9c5911423c16968352ebcd2e3b1ac16ae35e3be5d7866231ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
b963cdae781b032ab6298e82209bee27

SHA1
487c860d2d16fd352d48cf7f91f45d7d58b4a739

SHA256
0a1a46f2a9e782213231316a6ea04d660e86df3dbbed87b42910be436ef7269c

SHA512
68b82d42bc549453fb5bcf8a8cb8410451c24455a1911deea3f44759678a37a3640567796f9199a0f1026350d23f44ed1ef34f0e6e40da9f56423d9642cbc2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig.exe
MD5
4c03f40035bf018553157080f1b02671

SHA1
86531b83d3b3317c9da5010357fd9b5fbfd2bebe

SHA256
d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

SHA512
9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig.exe
MD5
4c03f40035bf018553157080f1b02671

SHA1
86531b83d3b3317c9da5010357fd9b5fbfd2bebe

SHA256
d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

SHA512
9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig.exe
MD5
4c03f40035bf018553157080f1b02671

SHA1
86531b83d3b3317c9da5010357fd9b5fbfd2bebe

SHA256
d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

SHA512
9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

Download Submit
C:\Windows\directx.sys
MD5
7198a8ae4e4642ae87235be4754feaa1

SHA1
f10a1b68b823ad2c825d53bd3fc994ee329524f6

SHA256
f8ed320d625155c03c4ac1599e34a50c444c86d2eb07a9e616db2108b8ef4a52

SHA512
5cae151f6acae478a3083a60f138c38da5f0b3e9627bf5297ad2f0b9c24c2f806a4ca798ff3ef75e2288725e7cfe38e580f2e955f5bd33d927b7925ca06e03e2

Download Submit
C:\Windows\svchost.com
MD5
10a8af56e371107b2a0ca15575b08c91

SHA1
a28b59f09fb7cff94873b2a1499211c7885bfab7

SHA256
09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

SHA512
7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

Download Submit
C:\Windows\svchost.com
MD5
10a8af56e371107b2a0ca15575b08c91

SHA1
a28b59f09fb7cff94873b2a1499211c7885bfab7

SHA256
09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

SHA512
7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

Download Submit
C:\Windows\svchost.com
MD5
10a8af56e371107b2a0ca15575b08c91

SHA1
a28b59f09fb7cff94873b2a1499211c7885bfab7

SHA256
09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

SHA512
7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

Download Submit
C:\odt\OFFICE~1.EXE
MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/1376-126-0x0000000000000000-mapping.dmp

Download
memory/1916-128-0x0000000000000000-mapping.dmp

Download
memory/3036-115-0x0000000000000000-mapping.dmp

Download
memory/3172-122-0x0000000000000000-mapping.dmp

Download
memory/3292-150-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/3292-167-0x0000000001010000-0x0000000001030000-memory.dmp

Filesize
128KB

Download
memory/3292-168-0x0000000001030000-0x0000000001050000-memory.dmp

Filesize
128KB

Download
memory/3292-131-0x0000000000000000-mapping.dmp

Download
memory/3424-118-0x0000000000000000-mapping.dmp

Download
memory/3500-135-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/3500-132-0x0000000000000000-mapping.dmp

Download
memory/3500-165-0x0000000001110000-0x0000000001130000-memory.dmp

Filesize
128KB

Download
memory/3500-166-0x0000000002DF0000-0x0000000002E10000-memory.dmp

Filesize
128KB

Download