amadey | 83f6d9721abac7afdb48fad8a0430fcbb6cb4c1de28e37a0768d92cf8e7c8cda

Resubmissions

30-07-2023 09:27

230730-les4qsgg49 10

29-07-2023 12:31

230729-pp9q1scg28 10

Analysis

max time kernel
300s
max time network
305s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30-07-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-File.exe
Size

28.1MB
MD5

9ddc92ae27b3c01abcc9361f5f10dbeb
SHA1

4ae7273d55275c53ebd66fd8d55d54d5257ad21d
SHA256

48987d9c89542a8cb4f8d34eb34902a4762cc8643c0e491deb6115907db4887b
SHA512

20f81c7cf228b92ef488fc24d1a3ed288f77036903bfcb1a650a7505a9f618c2fafa09e4b7c5e539a5627d6436f7011f1ed0ecf027609524006c07716447e68b
SSDEEP

786432:z6FQ28LUo3oaouyd+sP6qSwbJ+IViZRR/5PwUA1:zAQPLUcoMA+sP6q3pV255rI

Score

10^/10

amadey lumma sectoprat systembc discovery evasion persistence rat spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3440-287-0x0000000000400000-0x0000000000AAE000-memory.dmp	family_sectoprat
behavioral2/memory/3380-297-0x0000000000400000-0x0000000000AAE000-memory.dmp	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BRF.exeBRF.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BRF.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BRF.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

83 1016 rundll32.exe
85 5056 rundll32.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRF.exe

flow	pid	process
83	1016	rundll32.exe
85	5056	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BRF.exeBRF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRF.exe

Executes dropped EXE 5 IoCs

Processes:

fagffakkjlpjxka.exebstyoops.exeBRF.exebstyoops.exeBRF.exe

pid process

4220 fagffakkjlpjxka.exe
612 bstyoops.exe
3440 BRF.exe
1012 bstyoops.exe
3380 BRF.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3920 rundll32.exe
1016 rundll32.exe
204 rundll32.exe
5056 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4220	fagffakkjlpjxka.exe
612	bstyoops.exe
3440	BRF.exe
1012	bstyoops.exe
3380	BRF.exe

pid	process
3920	rundll32.exe
1016	rundll32.exe
204	rundll32.exe
5056	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
behavioral2/memory/3440-287-0x0000000000400000-0x0000000000AAE000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
behavioral2/memory/3380-297-0x0000000000400000-0x0000000000AAE000-memory.dmp	themida

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
behavioral2/memory/1016-335-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
behavioral2/memory/1016-345-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp	vmprotect
behavioral2/memory/5056-349-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp	vmprotect
behavioral2/memory/5056-356-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRF.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BRF.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svc64r.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\svc64r.dll, rundll"	bstyoops.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BRF.exeBRF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRF.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Setup-File.exe

description ioc process

File opened (read-only) \??\F: Setup-File.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BRF.exeBRF.exe

pid process

3440 BRF.exe
3380 BRF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup-File.exe

description pid process target process

PID 1452 set thread context of 3888 1452 Setup-File.exe csc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5064 schtasks.exe

description	ioc	process
File opened (read-only)	\??\F:	Setup-File.exe

pid	process
3440	BRF.exe
3380	BRF.exe

description	pid	process	target process
PID 1452 set thread context of 3888	1452	Setup-File.exe	csc.exe

pid	process
5064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Setup-File.exepowershell.exepowershell.exepowershell.execsc.exefagffakkjlpjxka.exebstyoops.exeBRF.exeBRF.exebstyoops.exerundll32.exerundll32.exepowershell.exe

pid	process
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1452	Setup-File.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
3888	csc.exe
4220	fagffakkjlpjxka.exe
4220	fagffakkjlpjxka.exe
612	bstyoops.exe
612	bstyoops.exe
3440	BRF.exe
3440	BRF.exe
3380	BRF.exe
3380	BRF.exe
1012	bstyoops.exe
1012	bstyoops.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
5056	rundll32.exe
5056	rundll32.exe
5056	rundll32.exe
5056	rundll32.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fagffakkjlpjxka.exe

pid process

4220 fagffakkjlpjxka.exe

pid	process
4220	fagffakkjlpjxka.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Setup-File.execsc.exefagffakkjlpjxka.exebstyoops.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1452 wrote to memory of 1456	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 1456	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 4992	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 4992	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 3888	1452	Setup-File.exe	csc.exe
PID 1452 wrote to memory of 2684	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 2684	1452	Setup-File.exe	powershell.exe
PID 3888 wrote to memory of 4220	3888	csc.exe	fagffakkjlpjxka.exe
PID 3888 wrote to memory of 4220	3888	csc.exe	fagffakkjlpjxka.exe
PID 3888 wrote to memory of 4220	3888	csc.exe	fagffakkjlpjxka.exe
PID 4220 wrote to memory of 612	4220	fagffakkjlpjxka.exe	bstyoops.exe
PID 4220 wrote to memory of 612	4220	fagffakkjlpjxka.exe	bstyoops.exe
PID 4220 wrote to memory of 612	4220	fagffakkjlpjxka.exe	bstyoops.exe
PID 612 wrote to memory of 5064	612	bstyoops.exe	schtasks.exe
PID 612 wrote to memory of 5064	612	bstyoops.exe	schtasks.exe
PID 612 wrote to memory of 5064	612	bstyoops.exe	schtasks.exe
PID 612 wrote to memory of 4452	612	bstyoops.exe	cmd.exe
PID 612 wrote to memory of 4452	612	bstyoops.exe	cmd.exe
PID 612 wrote to memory of 4452	612	bstyoops.exe	cmd.exe
PID 4452 wrote to memory of 3588	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 3588	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 3588	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 4344	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4344	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4344	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 3156	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 3156	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 3156	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4020	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 4020	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 4020	4452	cmd.exe	cmd.exe
PID 4452 wrote to memory of 4736	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4736	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4736	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4816	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4816	4452	cmd.exe	cacls.exe
PID 4452 wrote to memory of 4816	4452	cmd.exe	cacls.exe
PID 612 wrote to memory of 3440	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3440	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3440	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3380	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3380	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3380	612	bstyoops.exe	BRF.exe
PID 612 wrote to memory of 3920	612	bstyoops.exe	rundll32.exe
PID 612 wrote to memory of 3920	612	bstyoops.exe	rundll32.exe
PID 612 wrote to memory of 3920	612	bstyoops.exe	rundll32.exe
PID 3920 wrote to memory of 1016	3920	rundll32.exe	rundll32.exe
PID 3920 wrote to memory of 1016	3920	rundll32.exe	rundll32.exe
PID 612 wrote to memory of 204	612	bstyoops.exe	rundll32.exe
PID 612 wrote to memory of 204	612	bstyoops.exe	rundll32.exe
PID 612 wrote to memory of 204	612	bstyoops.exe	rundll32.exe
PID 204 wrote to memory of 5056	204	rundll32.exe	rundll32.exe
PID 204 wrote to memory of 5056	204	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1364	1452	Setup-File.exe	powershell.exe
PID 1452 wrote to memory of 1364	1452	Setup-File.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Setup-File.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-File.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\fagffakkjlpjxka.exe
"C:\Users\Admin\AppData\Local\Temp\fagffakkjlpjxka.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3588

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:4344

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4020

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:4736

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3440

C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAyADAA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e58e2005eb076c0468879012d03ed64c

SHA1
077316b9542d2833beb83a9a4a9af1d79a5fa5b6

SHA256
2ea9113ac675abea03d5c8e78cd1712ecfd3f64c14f3f928791e477898fc7c38

SHA512
8cc51d487c07822b7755025cf37ea4a05ce77aa057d5924da1bac74648264f5e00efb6041cd95e411da25f13c81b7b7843033aad280ae35318f077b28778ec38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1bf84d0709b9179e0b91dcae22a262b4

SHA1
2e064a20f2786edceaf76343600591b7f53f17b8

SHA256
cbf4230e539bb611dbb6a7ef894ca34b91f153a8e3c27860fc61820187742b4a

SHA512
ccedddde8ca8d02414e0e152a4ef2675adce5affaed75a32dc8c040c481ff71a1d770d210702fd5d26f73552f832225ecaad26abc040a0d0b86a0d9d865c072b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5810f84b13c4ffc9cc3d2e4d5850c6f0

SHA1
32f3d182649492be27959e02d91625a238a05066

SHA256
fe98a3f81d70e119dc4f793e0358260c7f2d262ea64ac1861843c4e2e38080fc

SHA512
389a96c415c2f7bf819cd4bea57501a83a4a5d42867592e70c35f84c79a1cf01e4e847429971042717e4d5565911cfbae932a1a7eddb8d825873c472cde338cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a13bbo1v.gsp.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagffakkjlpjxka.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagffakkjlpjxka.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
memory/612-262-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/612-255-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/612-257-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/612-256-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/612-258-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/612-254-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/612-259-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/612-260-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/612-261-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/612-277-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/612-280-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/1012-309-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/1012-303-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1012-307-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/1012-305-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/1012-308-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/1012-306-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/1012-304-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/1012-310-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/1012-329-0x0000000000090000-0x0000000000B96000-memory.dmp

Filesize
11.0MB

Download
memory/1012-302-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1016-339-0x00007FF948BF0000-0x00007FF948BF2000-memory.dmp

Filesize
8KB

Download
memory/1016-335-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp

Filesize
9.9MB

Download
memory/1016-345-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp

Filesize
9.9MB

Download
memory/1016-336-0x00007FF948BE0000-0x00007FF948BE2000-memory.dmp

Filesize
8KB

Download
memory/1016-343-0x00007FF948C10000-0x00007FF948C12000-memory.dmp

Filesize
8KB

Download
memory/1016-342-0x00007FF945500000-0x00007FF945502000-memory.dmp

Filesize
8KB

Download
memory/1016-340-0x00007FF948C00000-0x00007FF948C02000-memory.dmp

Filesize
8KB

Download
memory/1016-341-0x00007FF9454F0000-0x00007FF9454F2000-memory.dmp

Filesize
8KB

Download
memory/1016-334-0x00007FF948BD0000-0x00007FF948BD2000-memory.dmp

Filesize
8KB

Download
memory/1364-366-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/1364-367-0x000001E969B30000-0x000001E969B40000-memory.dmp

Filesize
64KB

Download
memory/1452-121-0x00007FF948BE0000-0x00007FF948BE2000-memory.dmp

Filesize
8KB

Download
memory/1452-128-0x00007FF647C80000-0x00007FF64AAB9000-memory.dmp

Filesize
46.2MB

Download
memory/1452-123-0x00007FF948C00000-0x00007FF948C02000-memory.dmp

Filesize
8KB

Download
memory/1452-120-0x00007FF948BD0000-0x00007FF948BD2000-memory.dmp

Filesize
8KB

Download
memory/1452-125-0x00007FF948C10000-0x00007FF948C12000-memory.dmp

Filesize
8KB

Download
memory/1452-134-0x00007FF647C80000-0x00007FF64AAB9000-memory.dmp

Filesize
46.2MB

Download
memory/1452-127-0x00007FF945C50000-0x00007FF945C52000-memory.dmp

Filesize
8KB

Download
memory/1452-126-0x00007FF945C40000-0x00007FF945C42000-memory.dmp

Filesize
8KB

Download
memory/1452-122-0x00007FF948BF0000-0x00007FF948BF2000-memory.dmp

Filesize
8KB

Download
memory/1452-124-0x00007FF647C80000-0x00007FF64AAB9000-memory.dmp

Filesize
46.2MB

Download
memory/1456-161-0x0000021B84E90000-0x0000021B84EA0000-memory.dmp

Filesize
64KB

Download
memory/1456-167-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/1456-141-0x0000021B84E90000-0x0000021B84EA0000-memory.dmp

Filesize
64KB

Download
memory/1456-139-0x0000021B86B60000-0x0000021B86B82000-memory.dmp

Filesize
136KB

Download
memory/1456-140-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/1456-145-0x0000021B9EF50000-0x0000021B9EFC6000-memory.dmp

Filesize
472KB

Download
memory/1456-160-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/1456-162-0x0000021B84E90000-0x0000021B84EA0000-memory.dmp

Filesize
64KB

Download
memory/1456-163-0x0000021B84E90000-0x0000021B84EA0000-memory.dmp

Filesize
64KB

Download
memory/1456-142-0x0000021B84E90000-0x0000021B84EA0000-memory.dmp

Filesize
64KB

Download
memory/2684-208-0x000001D1B8750000-0x000001D1B8760000-memory.dmp

Filesize
64KB

Download
memory/2684-209-0x000001D1B8750000-0x000001D1B8760000-memory.dmp

Filesize
64KB

Download
memory/2684-228-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-361-0x000001D1B8750000-0x000001D1B8760000-memory.dmp

Filesize
64KB

Download
memory/2684-229-0x000001D1B8750000-0x000001D1B8760000-memory.dmp

Filesize
64KB

Download
memory/2684-205-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-362-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/3380-291-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3380-347-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3380-297-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3380-295-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3380-300-0x00000000057E0000-0x0000000005830000-memory.dmp

Filesize
320KB

Download
memory/3380-293-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3380-290-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3380-344-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3380-328-0x00000000063F0000-0x000000000691C000-memory.dmp

Filesize
5.2MB

Download
memory/3440-292-0x0000000004F90000-0x000000000548E000-memory.dmp

Filesize
5.0MB

Download
memory/3440-283-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3440-299-0x0000000005720000-0x0000000005796000-memory.dmp

Filesize
472KB

Download
memory/3440-298-0x0000000005540000-0x0000000005702000-memory.dmp

Filesize
1.8MB

Download
memory/3440-294-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/3440-287-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3440-285-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3440-321-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3440-284-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3440-301-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/3440-282-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3440-325-0x0000000006070000-0x000000000609E000-memory.dmp

Filesize
184KB

Download
memory/3440-326-0x00000000060A0000-0x00000000060D8000-memory.dmp

Filesize
224KB

Download
memory/3440-331-0x0000000074CC0000-0x0000000074E82000-memory.dmp

Filesize
1.8MB

Download
memory/3440-330-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/3888-200-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3888-202-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4220-253-0x0000000000240000-0x0000000000D46000-memory.dmp

Filesize
11.0MB

Download
memory/4220-239-0x0000000000240000-0x0000000000D46000-memory.dmp

Filesize
11.0MB

Download
memory/4220-234-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4220-236-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/4220-235-0x0000000000240000-0x0000000000D46000-memory.dmp

Filesize
11.0MB

Download
memory/4220-238-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/4220-242-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4220-241-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4220-240-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4220-237-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/4992-196-0x0000015CC13A0000-0x0000015CC13B0000-memory.dmp

Filesize
64KB

Download
memory/4992-193-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/4992-195-0x0000015CC13A0000-0x0000015CC13B0000-memory.dmp

Filesize
64KB

Download
memory/4992-194-0x0000015CC13A0000-0x0000015CC13B0000-memory.dmp

Filesize
64KB

Download
memory/4992-175-0x0000015CC13A0000-0x0000015CC13B0000-memory.dmp

Filesize
64KB

Download
memory/4992-199-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/4992-174-0x0000015CC13A0000-0x0000015CC13B0000-memory.dmp

Filesize
64KB

Download
memory/4992-171-0x00007FF92D1F0000-0x00007FF92DBDC000-memory.dmp

Filesize
9.9MB

Download
memory/5056-349-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp

Filesize
9.9MB

Download
memory/5056-356-0x00007FF9239F0000-0x00007FF9243E2000-memory.dmp

Filesize
9.9MB

Download