ammyyadmin | 8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
Size

513KB
MD5

89fe28686a81b90bf1f46b6d46251ce4
SHA1

19f6a799b4777acf208926cee4913c0a889db72e
SHA256

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
SHA512

9cb0181a6a9e6a37c10a6acf9c172fd4130f4d476b76c3b97acc71c157c3d8135f42d1f2a10bb87d07ecf784d30e705dc071b5630705e9f939127762795d0dfc
SSDEEP

12288:pX5JC7oT39ra0hI1iGKsHJwUJ10qx6qhE12:pLC7mtThIcGNSS1VY31

Score

10^/10

ammyyadmin flawedammyy rhadamanthys smokeloader backdoor bootkit collection persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000800000001643c-174.dat	family_ammyyadmin
behavioral1/files/0x000800000001643c-179.dat	family_ammyyadmin
behavioral1/files/0x000800000001643c-176.dat	family_ammyyadmin
behavioral1/files/0x000800000001643c-180.dat	family_ammyyadmin
behavioral1/files/0x000800000001643c-184.dat	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

resource	yara_rule
behavioral1/memory/2084-22-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys
behavioral1/memory/2084-24-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys
behavioral1/memory/2084-23-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys
behavioral1/memory/2084-25-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys
behavioral1/memory/2084-36-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys
behavioral1/memory/2084-37-0x0000000000D70000-0x0000000001170000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2084 created 1212	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	11

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

pid	Process
2832	certreq.exe

Executes dropped EXE 14 IoCs

pid	Process
2992	460z.exe
888	460z.exe
1120	460z.exe
1972	460z.exe
548	460z.exe
1964	460z.exe
584	460z.exe
668	460z.exe
268	460z.exe
436	460z.exe
2684	460z.exe
2820	7mAu.exe
1448	7mAu.exe
2368	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
988	explorer.exe
988	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2820 set thread context of 1448	2820	7mAu.exe	47

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mAu.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mAu.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mAu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
2832	certreq.exe
2832	certreq.exe
2832	certreq.exe
2832	certreq.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
2992	460z.exe
1448	7mAu.exe
1448	7mAu.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

pid	Process
1448	7mAu.exe
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
988	explorer.exe
988	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
Token: SeDebugPrivilege	2992	460z.exe
Token: SeDebugPrivilege	2820	7mAu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2368	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2312	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	28
PID 2476 wrote to memory of 2312	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	28
PID 2476 wrote to memory of 2312	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	28
PID 2476 wrote to memory of 2312	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	28
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2476 wrote to memory of 2084	2476	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	29
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2084 wrote to memory of 2832	2084	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe	31
PID 2992 wrote to memory of 888	2992	460z.exe	36
PID 2992 wrote to memory of 888	2992	460z.exe	36
PID 2992 wrote to memory of 888	2992	460z.exe	36
PID 2992 wrote to memory of 888	2992	460z.exe	36
PID 2992 wrote to memory of 1120	2992	460z.exe	37
PID 2992 wrote to memory of 1120	2992	460z.exe	37
PID 2992 wrote to memory of 1120	2992	460z.exe	37
PID 2992 wrote to memory of 1120	2992	460z.exe	37
PID 2992 wrote to memory of 1972	2992	460z.exe	38
PID 2992 wrote to memory of 1972	2992	460z.exe	38
PID 2992 wrote to memory of 1972	2992	460z.exe	38
PID 2992 wrote to memory of 1972	2992	460z.exe	38
PID 2992 wrote to memory of 548	2992	460z.exe	39
PID 2992 wrote to memory of 548	2992	460z.exe	39
PID 2992 wrote to memory of 548	2992	460z.exe	39
PID 2992 wrote to memory of 548	2992	460z.exe	39
PID 2992 wrote to memory of 1964	2992	460z.exe	40
PID 2992 wrote to memory of 1964	2992	460z.exe	40
PID 2992 wrote to memory of 1964	2992	460z.exe	40
PID 2992 wrote to memory of 1964	2992	460z.exe	40
PID 2992 wrote to memory of 584	2992	460z.exe	41
PID 2992 wrote to memory of 584	2992	460z.exe	41
PID 2992 wrote to memory of 584	2992	460z.exe	41
PID 2992 wrote to memory of 584	2992	460z.exe	41
PID 2992 wrote to memory of 668	2992	460z.exe	42
PID 2992 wrote to memory of 668	2992	460z.exe	42
PID 2992 wrote to memory of 668	2992	460z.exe	42
PID 2992 wrote to memory of 668	2992	460z.exe	42
PID 2992 wrote to memory of 268	2992	460z.exe	43
PID 2992 wrote to memory of 268	2992	460z.exe	43
PID 2992 wrote to memory of 268	2992	460z.exe	43
PID 2992 wrote to memory of 268	2992	460z.exe	43
PID 2992 wrote to memory of 436	2992	460z.exe	44
PID 2992 wrote to memory of 436	2992	460z.exe	44
PID 2992 wrote to memory of 436	2992	460z.exe	44
PID 2992 wrote to memory of 436	2992	460z.exe	44
PID 2992 wrote to memory of 2684	2992	460z.exe	45
PID 2992 wrote to memory of 2684	2992	460z.exe	45
PID 2992 wrote to memory of 2684	2992	460z.exe	45
PID 2992 wrote to memory of 2684	2992	460z.exe	45
PID 2820 wrote to memory of 1448	2820	7mAu.exe	47
PID 2820 wrote to memory of 1448	2820	7mAu.exe	47
PID 2820 wrote to memory of 1448	2820	7mAu.exe	47
PID 2820 wrote to memory of 1448	2820	7mAu.exe	47
PID 2820 wrote to memory of 1448	2820	7mAu.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
PID:1212
- C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
    C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
    C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620fexe_JC.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2084
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:2332
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1160
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:808
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1088
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2040
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2364
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2408
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1388
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1720
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2036
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1272
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3008
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1768
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:2368
  - - C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:2900

C:\Users\Admin\AppData\Local\Microsoft\460z.exe
"C:\Users\Admin\AppData\Local\Microsoft\460z.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  C:\Users\Admin\AppData\Local\Microsoft\460z.exe
  2⤵
  - Executes dropped EXE
  PID:2684

C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe
"C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe
  C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\460z.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\7mAu.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\8517.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/808-140-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/808-128-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/808-126-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/808-127-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1088-129-0x0000000000100000-0x000000000010B000-memory.dmp

Filesize
44KB

Download
memory/1088-130-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1088-131-0x0000000000100000-0x000000000010B000-memory.dmp

Filesize
44KB

Download
memory/1160-125-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1160-123-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1160-124-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1212-96-0x0000000003A80000-0x0000000003A96000-memory.dmp

Filesize
88KB

Download
memory/1272-159-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1272-160-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1388-146-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1388-144-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1388-145-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1448-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1448-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1448-97-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1448-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1448-90-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1448-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-149-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1720-148-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1720-147-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/2036-152-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2036-153-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/2036-155-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2040-134-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2040-132-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2040-150-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2084-21-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2084-25-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2084-32-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-28-0x0000000000130000-0x0000000000166000-memory.dmp

Filesize
216KB

Download
memory/2084-37-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2084-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2084-22-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2084-36-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2084-35-0x0000000000130000-0x0000000000166000-memory.dmp

Filesize
216KB

Download
memory/2084-23-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2084-24-0x0000000000D70000-0x0000000001170000-memory.dmp

Filesize
4.0MB

Download
memory/2296-137-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2296-151-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/2296-135-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2296-136-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/2332-122-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2332-108-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2332-109-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2332-107-0x0000000000190000-0x0000000000205000-memory.dmp

Filesize
468KB

Download
memory/2364-141-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2364-138-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2364-157-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2364-139-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2408-143-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/2408-142-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2408-162-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2476-4-0x0000000000C50000-0x0000000000CB8000-memory.dmp

Filesize
416KB

Download
memory/2476-1-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-2-0x0000000000AD0000-0x0000000000B48000-memory.dmp

Filesize
480KB

Download
memory/2476-3-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2476-5-0x0000000000D00000-0x0000000000D4C000-memory.dmp

Filesize
304KB

Download
memory/2476-18-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-0-0x00000000012C0000-0x0000000001346000-memory.dmp

Filesize
536KB

Download
memory/2820-84-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2820-93-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-82-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-81-0x0000000001230000-0x0000000001298000-memory.dmp

Filesize
416KB

Download
memory/2820-83-0x0000000000390000-0x00000000003D4000-memory.dmp

Filesize
272KB

Download
memory/2820-85-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/2832-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-51-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2832-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-95-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2832-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-27-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2832-40-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2832-64-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2832-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-94-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2832-26-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2832-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-55-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-56-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2832-60-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2992-62-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-63-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2992-61-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/2992-67-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2992-78-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-65-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/3008-161-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3008-163-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download