ammyyadmin | 70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
Size

1.9MB
MD5

534e8c1d3d71f8736793b80048c3dbdd
SHA1

d651b9cf8a717609656f13183ac1c9128e5c9105
SHA256

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
SHA512

3816f5c4bc1f0bb3466ec59257ab98914c3b0f3348942d01e8ab661cc071a89f2e4eb943ecd467f0710cb0fbf3a04e008a43d6a9277e725f97dec798abad2fc5
SSDEEP

24576:eGgZShKmrSYSvcrWgzZTqZ8u+gJHE3nY0AdxPQaXm7sqUF0MU8GO0bb:ee+eWghqbEGdxPRWQqy0MU8GPb

Score

10^/10

ammyyadmin flawedammyy rhadamanthys smokeloader backdoor bootkit collection persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000300000001de9d-181.dat	family_ammyyadmin
behavioral2/files/0x000300000001de9d-186.dat	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4668-15-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/4668-16-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/4668-17-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/4668-18-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/4668-28-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/4668-30-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe

description	pid	Process	procid_target
PID 4668 created 3140	4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	28

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid	Process
4480	certreq.exe

Executes dropped EXE 15 IoCs

Processes:

L6754%.exeuB6N3.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeL6754%.exeuB6N3.exeuB6N3.exesvchost.exe

pid	Process
1204	L6754%.exe
1304	uB6N3.exe
2060	L6754%.exe
1388	L6754%.exe
3916	L6754%.exe
1696	L6754%.exe
3084	L6754%.exe
4364	L6754%.exe
4600	L6754%.exe
4864	L6754%.exe
412	L6754%.exe
472	L6754%.exe
1656	uB6N3.exe
400	uB6N3.exe
3320	svchost.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
536	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exeuB6N3.exe

description	pid	Process	procid_target
PID 552 set thread context of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 1304 set thread context of 400	1304	uB6N3.exe	108

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uB6N3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uB6N3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uB6N3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uB6N3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.execertreq.exeL6754%.exeuB6N3.exeuB6N3.exeExplorer.EXE

pid	Process
4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
4480	certreq.exe
4480	certreq.exe
4480	certreq.exe
4480	certreq.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1204	L6754%.exe
1304	uB6N3.exe
1304	uB6N3.exe
400	uB6N3.exe
400	uB6N3.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

uB6N3.exeExplorer.EXEexplorer.exe

pid	Process
400	uB6N3.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
4616	explorer.exe
4616	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exeL6754%.exeuB6N3.exe

description	pid	Process
Token: SeDebugPrivilege	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
Token: SeDebugPrivilege	1204	L6754%.exe
Token: SeDebugPrivilege	1304	uB6N3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid	Process
3320	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exeL6754%.exeuB6N3.exeExplorer.EXE

description	pid	Process	procid_target
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 552 wrote to memory of 4668	552	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	83
PID 4668 wrote to memory of 4480	4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	89
PID 4668 wrote to memory of 4480	4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	89
PID 4668 wrote to memory of 4480	4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	89
PID 4668 wrote to memory of 4480	4668	70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe	89
PID 1204 wrote to memory of 2060	1204	L6754%.exe	97
PID 1204 wrote to memory of 2060	1204	L6754%.exe	97
PID 1204 wrote to memory of 2060	1204	L6754%.exe	97
PID 1204 wrote to memory of 1388	1204	L6754%.exe	106
PID 1204 wrote to memory of 1388	1204	L6754%.exe	106
PID 1204 wrote to memory of 1388	1204	L6754%.exe	106
PID 1204 wrote to memory of 3916	1204	L6754%.exe	105
PID 1204 wrote to memory of 3916	1204	L6754%.exe	105
PID 1204 wrote to memory of 3916	1204	L6754%.exe	105
PID 1204 wrote to memory of 1696	1204	L6754%.exe	100
PID 1204 wrote to memory of 1696	1204	L6754%.exe	100
PID 1204 wrote to memory of 1696	1204	L6754%.exe	100
PID 1204 wrote to memory of 3084	1204	L6754%.exe	99
PID 1204 wrote to memory of 3084	1204	L6754%.exe	99
PID 1204 wrote to memory of 3084	1204	L6754%.exe	99
PID 1204 wrote to memory of 4600	1204	L6754%.exe	98
PID 1204 wrote to memory of 4600	1204	L6754%.exe	98
PID 1204 wrote to memory of 4600	1204	L6754%.exe	98
PID 1204 wrote to memory of 4364	1204	L6754%.exe	101
PID 1204 wrote to memory of 4364	1204	L6754%.exe	101
PID 1204 wrote to memory of 4364	1204	L6754%.exe	101
PID 1204 wrote to memory of 412	1204	L6754%.exe	104
PID 1204 wrote to memory of 412	1204	L6754%.exe	104
PID 1204 wrote to memory of 412	1204	L6754%.exe	104
PID 1204 wrote to memory of 4864	1204	L6754%.exe	103
PID 1204 wrote to memory of 4864	1204	L6754%.exe	103
PID 1204 wrote to memory of 4864	1204	L6754%.exe	103
PID 1204 wrote to memory of 472	1204	L6754%.exe	102
PID 1204 wrote to memory of 472	1204	L6754%.exe	102
PID 1204 wrote to memory of 472	1204	L6754%.exe	102
PID 1304 wrote to memory of 1656	1304	uB6N3.exe	107
PID 1304 wrote to memory of 1656	1304	uB6N3.exe	107
PID 1304 wrote to memory of 1656	1304	uB6N3.exe	107
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 1304 wrote to memory of 400	1304	uB6N3.exe	108
PID 3140 wrote to memory of 4064	3140	Explorer.EXE	109
PID 3140 wrote to memory of 4064	3140	Explorer.EXE	109
PID 3140 wrote to memory of 4064	3140	Explorer.EXE	109
PID 3140 wrote to memory of 4064	3140	Explorer.EXE	109
PID 3140 wrote to memory of 5072	3140	Explorer.EXE	110
PID 3140 wrote to memory of 5072	3140	Explorer.EXE	110
PID 3140 wrote to memory of 5072	3140	Explorer.EXE	110
PID 3140 wrote to memory of 548	3140	Explorer.EXE	111
PID 3140 wrote to memory of 548	3140	Explorer.EXE	111
PID 3140 wrote to memory of 548	3140	Explorer.EXE	111
PID 3140 wrote to memory of 548	3140	Explorer.EXE	111
PID 3140 wrote to memory of 4484	3140	Explorer.EXE	112
PID 3140 wrote to memory of 4484	3140	Explorer.EXE	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
    C:\Users\Admin\AppData\Local\Temp\70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade_JC.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4668
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:4064
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:5072
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:548
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4484
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3848
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1548
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4180
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2780
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4760
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4968
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1372
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2156
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5036
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4788
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:3320
  - - C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\aa_nts.dll",run
      4⤵
      Loads dropped DLL
      PID:536

C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
"C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe
  2⤵
  - Executes dropped EXE
  PID:1388

C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe
"C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe
  C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe
  C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\L6754%.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe

Filesize
250KB

MD5
c6024b75b194167a5c959db8324aaa48

SHA1
5f33040a09103a6bab9bd4f690abffcc571faa52

SHA256
74fe73aebbcc61a087905e7d47a6bdc1f3c4cf5b3019ee631aaa443f524822fe

SHA512
562a2d1e05123e71b47f4c0883befb46cda376fa4e8f2f6bb68d9775b49da60f0f4f7fdb0c54bb9e7a28d1527f47a0bbcfa501e0697c388594dbe6ef3c10dcb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe

Filesize
250KB

MD5
c6024b75b194167a5c959db8324aaa48

SHA1
5f33040a09103a6bab9bd4f690abffcc571faa52

SHA256
74fe73aebbcc61a087905e7d47a6bdc1f3c4cf5b3019ee631aaa443f524822fe

SHA512
562a2d1e05123e71b47f4c0883befb46cda376fa4e8f2f6bb68d9775b49da60f0f4f7fdb0c54bb9e7a28d1527f47a0bbcfa501e0697c388594dbe6ef3c10dcb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe

Filesize
250KB

MD5
c6024b75b194167a5c959db8324aaa48

SHA1
5f33040a09103a6bab9bd4f690abffcc571faa52

SHA256
74fe73aebbcc61a087905e7d47a6bdc1f3c4cf5b3019ee631aaa443f524822fe

SHA512
562a2d1e05123e71b47f4c0883befb46cda376fa4e8f2f6bb68d9775b49da60f0f4f7fdb0c54bb9e7a28d1527f47a0bbcfa501e0697c388594dbe6ef3c10dcb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uB6N3.exe

Filesize
250KB

MD5
c6024b75b194167a5c959db8324aaa48

SHA1
5f33040a09103a6bab9bd4f690abffcc571faa52

SHA256
74fe73aebbcc61a087905e7d47a6bdc1f3c4cf5b3019ee631aaa443f524822fe

SHA512
562a2d1e05123e71b47f4c0883befb46cda376fa4e8f2f6bb68d9775b49da60f0f4f7fdb0c54bb9e7a28d1527f47a0bbcfa501e0697c388594dbe6ef3c10dcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C6.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/400-79-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/400-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/400-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/536-216-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/548-126-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/548-143-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/548-125-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/552-0-0x0000000000260000-0x000000000044A000-memory.dmp

Filesize
1.9MB

Download
memory/552-6-0x0000000004E60000-0x0000000004EAC000-memory.dmp

Filesize
304KB

Download
memory/552-2-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/552-3-0x0000000004CA0000-0x0000000004D1C000-memory.dmp

Filesize
496KB

Download
memory/552-4-0x0000000004D20000-0x0000000004D98000-memory.dmp

Filesize
480KB

Download
memory/552-5-0x0000000004DF0000-0x0000000004E58000-memory.dmp

Filesize
416KB

Download
memory/552-1-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/552-13-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/552-7-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/1204-77-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/1204-52-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1204-58-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/1204-56-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/1204-57-0x0000000004B30000-0x0000000004B5C000-memory.dmp

Filesize
176KB

Download
memory/1204-55-0x00000000026F0000-0x000000000272E000-memory.dmp

Filesize
248KB

Download
memory/1304-63-0x0000000004A10000-0x0000000004A54000-memory.dmp

Filesize
272KB

Download
memory/1304-62-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/1304-64-0x0000000004A80000-0x0000000004AB2000-memory.dmp

Filesize
200KB

Download
memory/1304-65-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1304-83-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/1304-61-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1372-152-0x00000000004D0000-0x00000000004F1000-memory.dmp

Filesize
132KB

Download
memory/1372-151-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/1372-153-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/1548-135-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download
memory/1548-150-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download
memory/1548-134-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/1548-136-0x0000000000170000-0x000000000017F000-memory.dmp

Filesize
60KB

Download
memory/2156-157-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/2156-158-0x0000000000520000-0x0000000000525000-memory.dmp

Filesize
20KB

Download
memory/2156-159-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/2780-140-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2780-142-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/3140-86-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/3320-194-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/3320-183-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/3848-132-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/3848-146-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/3848-133-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/3848-131-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/4064-124-0x0000000000F00000-0x0000000000F6B000-memory.dmp

Filesize
428KB

Download
memory/4064-99-0x0000000000F00000-0x0000000000F6B000-memory.dmp

Filesize
428KB

Download
memory/4064-97-0x0000000000F70000-0x0000000000FE5000-memory.dmp

Filesize
468KB

Download
memory/4064-98-0x0000000000F00000-0x0000000000F6B000-memory.dmp

Filesize
428KB

Download
memory/4180-139-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/4180-137-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4180-156-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4180-160-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/4480-84-0x000001DC6E7E0000-0x000001DC6E7E5000-memory.dmp

Filesize
20KB

Download
memory/4480-46-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-85-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

Filesize
2.0MB

Download
memory/4480-48-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-47-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-45-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-53-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

Filesize
2.0MB

Download
memory/4480-44-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-43-0x00007FFE7B990000-0x00007FFE7BB85000-memory.dmp

Filesize
2.0MB

Download
memory/4480-42-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-19-0x000001DC6E540000-0x000001DC6E543000-memory.dmp

Filesize
12KB

Download
memory/4480-41-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-40-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-31-0x000001DC6E540000-0x000001DC6E543000-memory.dmp

Filesize
12KB

Download
memory/4480-32-0x000001DC6E7E0000-0x000001DC6E7E7000-memory.dmp

Filesize
28KB

Download
memory/4480-33-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-34-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-37-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-35-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-36-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4480-38-0x00007FF46AAF0000-0x00007FF46AC1F000-memory.dmp

Filesize
1.2MB

Download
memory/4484-130-0x0000000000430000-0x000000000043B000-memory.dmp

Filesize
44KB

Download
memory/4484-127-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/4484-129-0x0000000000430000-0x000000000043B000-memory.dmp

Filesize
44KB

Download
memory/4616-174-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/4668-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4668-28-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4668-21-0x0000000003E90000-0x0000000003EC6000-memory.dmp

Filesize
216KB

Download
memory/4668-14-0x0000000001230000-0x0000000001237000-memory.dmp

Filesize
28KB

Download
memory/4668-30-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-18-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-17-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-16-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4668-27-0x0000000003E90000-0x0000000003EC6000-memory.dmp

Filesize
216KB

Download
memory/4668-15-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/4668-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4668-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4760-147-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/4760-145-0x0000000000FA0000-0x0000000000FA4000-memory.dmp

Filesize
16KB

Download
memory/4760-144-0x0000000000F90000-0x0000000000F99000-memory.dmp

Filesize
36KB

Download
memory/4788-169-0x00000000005C0000-0x00000000005CD000-memory.dmp

Filesize
52KB

Download
memory/4968-148-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/4968-149-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/5036-163-0x0000000000CC0000-0x0000000000CCB000-memory.dmp

Filesize
44KB

Download
memory/5072-118-0x0000000000A10000-0x0000000000A17000-memory.dmp

Filesize
28KB

Download
memory/5072-122-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/5072-123-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download