orcus | e6aa1c3c529c5d6cb73ef7eb959555c8d681e36bae8290ed1310b5caec13cc84

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-09-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12.exe
Size

918KB
MD5

1fe1c0eb7d62a73e832c2c1eba4f78c1
SHA1

f3dc248a9850b358beff204b8e69ef86cb1e398d
SHA256

e6aa1c3c529c5d6cb73ef7eb959555c8d681e36bae8290ed1310b5caec13cc84
SHA512

b6e5e021b5dc12188e09f1a1a2f483700e2b0a795494bcf21a1f7036f5c34443c73e87671aafcf7775aedf39ef608cf41da1286fae2162786974b23521c2294d
SSDEEP

24576:ld74MROxnFH3WRM4IrrcI0AilFEvxHPmooQ:laMihWlIrrcI0AilFEvxHP

Score

10^/10

orcus mal discovery evasion persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Mal

keep-forth.gl.at.ply.gg:19365

Mutex

3bd064b7c6b7453ba4e355a8c39c2b4a

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Radeon\RadeonSoftware.exe
reconnect_delay
10000
registry_keyname
winla
taskscheduler_taskname
winlaa
watchdog_path
Temp\AMDRSServ.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/files/0x000100000002a9d7-50.dat	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2228-1-0x0000000000970000-0x0000000000A5C000-memory.dmp	orcus
behavioral4/files/0x000100000002a9d7-50.dat	orcus

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2608	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RdpWrapper_292ecaf4f757491186702f051a76e30f.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe

Executes dropped EXE 21 IoCs

Processes:

WindowsInput.exeWindowsInput.exeRadeonSoftware.exeRadeonSoftware.exeAMDRSServ.exeAMDRSServ.exeRdpWrapper_292ecaf4f757491186702f051a76e30f.exeRadeonSoftware.exeAMDRSServ.exeRadeonSoftware.exeAMDRSServ (1).exeAMDRSServ (1).exeRadeonSoftware.exeAMDRSServ.exeRadeonSoftware.exeAMDRSServ.exeRadeonSoftware.exeAMDRSServ.exeRadeonSoftware.exeAMDRSServ.exeRadeonSoftware.exe

pid	Process
4144	WindowsInput.exe
756	WindowsInput.exe
4340	RadeonSoftware.exe
1528	RadeonSoftware.exe
1488	AMDRSServ.exe
2152	AMDRSServ.exe
4164	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
1932	RadeonSoftware.exe
480	AMDRSServ.exe
4548	RadeonSoftware.exe
3584	AMDRSServ (1).exe
4532	AMDRSServ (1).exe
2452	RadeonSoftware.exe
4640	AMDRSServ.exe
4644	RadeonSoftware.exe
2544	AMDRSServ.exe
3372	RadeonSoftware.exe
4920	AMDRSServ.exe
2760	RadeonSoftware.exe
2284	AMDRSServ.exe
3352	RadeonSoftware.exe

Loads dropped DLL 26 IoCs

Processes:

RadeonSoftware.exesvchost.exeRadeonSoftware.exe

pid	Process
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
680	svchost.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe
1932	RadeonSoftware.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RadeonSoftware.exeRadeonSoftware.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\winla = "\"C:\\Program Files (x86)\\Radeon\\RadeonSoftware.exe\""	RadeonSoftware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\winla = "\"C:\\Program Files (x86)\\Radeon\\RadeonSoftware.exe\""	RadeonSoftware.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RdpWrapper_292ecaf4f757491186702f051a76e30f.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe

Drops file in System32 directory 3 IoCs

Processes:

12.exeWindowsInput.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	12.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	12.exe

Drops file in Program Files directory 5 IoCs

Processes:

12.exeRdpWrapper_292ecaf4f757491186702f051a76e30f.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Radeon\RadeonSoftware.exe	12.exe
File created	C:\Program Files (x86)\Radeon\RadeonSoftware.exe.config	12.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
File created	C:\Program Files (x86)\Radeon\RadeonSoftware.exe	12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1328	4340	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AMDRSServ.exeAMDRSServ.exeRadeonSoftware.exeRadeonSoftware.exeAMDRSServ.exeRdpWrapper_292ecaf4f757491186702f051a76e30f.exeRadeonSoftware.exeAMDRSServ.exeAMDRSServ (1).exeAMDRSServ (1).exeRadeonSoftware.exeRadeonSoftware.exeRadeonSoftware.exeAMDRSServ.exeAMDRSServ.exeRadeonSoftware.exe12.exeRadeonSoftware.exeRadeonSoftware.exeAMDRSServ.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AMDRSServ.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RadeonSoftware.exeRadeonSoftware.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RadeonSoftware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RadeonSoftware.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RadeonSoftware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RadeonSoftware.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1964	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AMDRSServ.exeRadeonSoftware.exe

pid	Process
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe
4340	RadeonSoftware.exe
2152	AMDRSServ.exe
2152	AMDRSServ.exe
4340	RadeonSoftware.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

RadeonSoftware.exeRadeonSoftware.exe

pid	Process
4340	RadeonSoftware.exe
1932	RadeonSoftware.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
660

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

RadeonSoftware.exeAMDRSServ.exeAMDRSServ.exeRdpWrapper_292ecaf4f757491186702f051a76e30f.exesvchost.exeRadeonSoftware.exeAMDRSServ (1).exeAMDRSServ (1).exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exe

description	pid	Process
Token: SeDebugPrivilege	4340	RadeonSoftware.exe
Token: SeDebugPrivilege	1488	AMDRSServ.exe
Token: SeDebugPrivilege	2152	AMDRSServ.exe
Token: SeDebugPrivilege	4164	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
Token: SeAuditPrivilege	680	svchost.exe
Token: SeDebugPrivilege	1932	RadeonSoftware.exe
Token: SeDebugPrivilege	3584	AMDRSServ (1).exe
Token: SeDebugPrivilege	4532	AMDRSServ (1).exe
Token: SeDebugPrivilege	480	AMDRSServ.exe
Token: SeDebugPrivilege	4640	AMDRSServ.exe
Token: SeDebugPrivilege	2544	AMDRSServ.exe
Token: SeDebugPrivilege	4920	AMDRSServ.exe
Token: SeDebugPrivilege	2284	AMDRSServ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RadeonSoftware.exeRadeonSoftware.exe

pid	Process
4340	RadeonSoftware.exe
1932	RadeonSoftware.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

12.exeRadeonSoftware.exeAMDRSServ.exeRdpWrapper_292ecaf4f757491186702f051a76e30f.exeAMDRSServ.exeRadeonSoftware.exeAMDRSServ (1).exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exeAMDRSServ.exe

description	pid	Process	procid_target
PID 2228 wrote to memory of 4144	2228	12.exe	82
PID 2228 wrote to memory of 4144	2228	12.exe	82
PID 2228 wrote to memory of 4340	2228	12.exe	84
PID 2228 wrote to memory of 4340	2228	12.exe	84
PID 2228 wrote to memory of 4340	2228	12.exe	84
PID 4340 wrote to memory of 1488	4340	RadeonSoftware.exe	86
PID 4340 wrote to memory of 1488	4340	RadeonSoftware.exe	86
PID 4340 wrote to memory of 1488	4340	RadeonSoftware.exe	86
PID 1488 wrote to memory of 2152	1488	AMDRSServ.exe	87
PID 1488 wrote to memory of 2152	1488	AMDRSServ.exe	87
PID 1488 wrote to memory of 2152	1488	AMDRSServ.exe	87
PID 4340 wrote to memory of 4164	4340	RadeonSoftware.exe	91
PID 4340 wrote to memory of 4164	4340	RadeonSoftware.exe	91
PID 4340 wrote to memory of 4164	4340	RadeonSoftware.exe	91
PID 4164 wrote to memory of 2608	4164	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe	95
PID 4164 wrote to memory of 2608	4164	RdpWrapper_292ecaf4f757491186702f051a76e30f.exe	95
PID 4340 wrote to memory of 1932	4340	RadeonSoftware.exe	97
PID 4340 wrote to memory of 1932	4340	RadeonSoftware.exe	97
PID 4340 wrote to memory of 1932	4340	RadeonSoftware.exe	97
PID 2152 wrote to memory of 480	2152	AMDRSServ.exe	102
PID 2152 wrote to memory of 480	2152	AMDRSServ.exe	102
PID 2152 wrote to memory of 480	2152	AMDRSServ.exe	102
PID 1932 wrote to memory of 3584	1932	RadeonSoftware.exe	103
PID 1932 wrote to memory of 3584	1932	RadeonSoftware.exe	103
PID 1932 wrote to memory of 3584	1932	RadeonSoftware.exe	103
PID 3584 wrote to memory of 4532	3584	AMDRSServ (1).exe	104
PID 3584 wrote to memory of 4532	3584	AMDRSServ (1).exe	104
PID 3584 wrote to memory of 4532	3584	AMDRSServ (1).exe	104
PID 480 wrote to memory of 2452	480	AMDRSServ.exe	105
PID 480 wrote to memory of 2452	480	AMDRSServ.exe	105
PID 480 wrote to memory of 2452	480	AMDRSServ.exe	105
PID 2152 wrote to memory of 4640	2152	AMDRSServ.exe	106
PID 2152 wrote to memory of 4640	2152	AMDRSServ.exe	106
PID 2152 wrote to memory of 4640	2152	AMDRSServ.exe	106
PID 4640 wrote to memory of 4644	4640	AMDRSServ.exe	107
PID 4640 wrote to memory of 4644	4640	AMDRSServ.exe	107
PID 4640 wrote to memory of 4644	4640	AMDRSServ.exe	107
PID 2152 wrote to memory of 2544	2152	AMDRSServ.exe	108
PID 2152 wrote to memory of 2544	2152	AMDRSServ.exe	108
PID 2152 wrote to memory of 2544	2152	AMDRSServ.exe	108
PID 2544 wrote to memory of 3372	2544	AMDRSServ.exe	109
PID 2544 wrote to memory of 3372	2544	AMDRSServ.exe	109
PID 2544 wrote to memory of 3372	2544	AMDRSServ.exe	109
PID 2152 wrote to memory of 4920	2152	AMDRSServ.exe	110
PID 2152 wrote to memory of 4920	2152	AMDRSServ.exe	110
PID 2152 wrote to memory of 4920	2152	AMDRSServ.exe	110
PID 4920 wrote to memory of 2760	4920	AMDRSServ.exe	111
PID 4920 wrote to memory of 2760	4920	AMDRSServ.exe	111
PID 4920 wrote to memory of 2760	4920	AMDRSServ.exe	111
PID 2152 wrote to memory of 2284	2152	AMDRSServ.exe	112
PID 2152 wrote to memory of 2284	2152	AMDRSServ.exe	112
PID 2152 wrote to memory of 2284	2152	AMDRSServ.exe	112
PID 2284 wrote to memory of 3352	2284	AMDRSServ.exe	113
PID 2284 wrote to memory of 3352	2284	AMDRSServ.exe	113
PID 2284 wrote to memory of 3352	2284	AMDRSServ.exe	113

C:\Users\Admin\AppData\Local\Temp\12.exe
"C:\Users\Admin\AppData\Local\Temp\12.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4144
- C:\Program Files (x86)\Radeon\RadeonSoftware.exe
  "C:\Program Files (x86)\Radeon\RadeonSoftware.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
    "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchSelfAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 4340 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
      "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /watchProcess "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 4340 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchClientAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 2152
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:480
      - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
        
        "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" /keepAlive 2152
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchClientAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 2152
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
        
        "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" /keepAlive 2152
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchClientAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 2152
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
        
        "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" /keepAlive 2152
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchClientAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 2152
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
        
        "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" /keepAlive 2152
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe" /launchClientAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 2152
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
        
        "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" /keepAlive 2152
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352
- - C:\Users\Admin\AppData\Local\Temp\RdpWrapper_292ecaf4f757491186702f051a76e30f.exe
    "C:\Users\Admin\AppData\Local\Temp\RdpWrapper_292ecaf4f757491186702f051a76e30f.exe" -i -o
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2608
- - C:\Program Files (x86)\Radeon\RadeonSoftware.exe
    "C:\Program Files (x86)\Radeon\RadeonSoftware.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ (1).exe
      "C:\Users\Admin\AppData\Local\Temp\AMDRSServ (1).exe" /launchSelfAndExit "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 1932 /protectFile
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Users\Admin\AppData\Local\Temp\AMDRSServ (1).exe
        
        "C:\Users\Admin\AppData\Local\Temp\AMDRSServ (1).exe" /watchProcess "C:\Program Files (x86)\Radeon\RadeonSoftware.exe" 1932 "/protectFile"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 3692
    3⤵
    - Program crash
    PID:1328

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Program Files (x86)\Radeon\RadeonSoftware.exe
"C:\Program Files (x86)\Radeon\RadeonSoftware.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SwitchAssert.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 4340
1⤵
PID:4564

C:\Program Files (x86)\Radeon\RadeonSoftware.exe
"C:\Program Files (x86)\Radeon\RadeonSoftware.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Radeon\RadeonSoftware.exe

Filesize
918KB

MD5
1fe1c0eb7d62a73e832c2c1eba4f78c1

SHA1
f3dc248a9850b358beff204b8e69ef86cb1e398d

SHA256
e6aa1c3c529c5d6cb73ef7eb959555c8d681e36bae8290ed1310b5caec13cc84

SHA512
b6e5e021b5dc12188e09f1a1a2f483700e2b0a795494bcf21a1f7036f5c34443c73e87671aafcf7775aedf39ef608cf41da1286fae2162786974b23521c2294d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AMDRSServ.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RadeonSoftware.exe.log

Filesize
1KB

MD5
23095077e59941121be408de05f8843b

SHA1
6a85a4fb6a47e96b4c65f8849647ff486273b513

SHA256
49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5

SHA512
05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMDRSServ.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdpWrapper_292ecaf4f757491186702f051a76e30f.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\AForge.Video.DirectShow.dll

Filesize
60KB

MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\SharpDX.DXGI.dll

Filesize
125KB

MD5
2b44c70c49b70d797fbb748158b5d9bb

SHA1
93e00e6527e461c45c7868d14cf05c007e478081

SHA256
3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

SHA512
faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\SharpDX.Direct3D11.dll

Filesize
271KB

MD5
98eb5ba5871acdeaebf3a3b0f64be449

SHA1
c965284f60ef789b00b10b3df60ee682b4497de3

SHA256
d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

SHA512
a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\SharpDX.Direct3D9.dll

Filesize
338KB

MD5
934da0e49208d0881c44fe19d5033840

SHA1
a19c5a822e82e41752a08d3bd9110db19a8a5016

SHA256
02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

SHA512
de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\TurboJpegWrapper.dll

Filesize
1.3MB

MD5
ac6acc235ebef6374bed71b37e322874

SHA1
a267baad59cd7352167636836bad4b971fcd6b6b

SHA256
047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

SHA512
72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\lib_3bd064b7c6b7453ba4e355a8c39c2b4a\x86\turbojpeg.dll

Filesize
646KB

MD5
82898ed19da89d7d44e280a3ced95e9b

SHA1
eec0af5733c642eac8c5e08479f462d1ec1ed4db

SHA256
5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29

SHA512
ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\plg_3bd064b7c6b7453ba4e355a8c39c2b4a\7e3ec7eec72244d8ab73154728e6c00f_1.2

Filesize
580KB

MD5
df0d0b4bd309e9e55f4710c60d103630

SHA1
4d430c00c6a186852a685f8e3283b316a661b851

SHA256
fcd4fbec90cce3171fb725b6f048cc88c8f9ce4efa5244e81383e1c425c275eb

SHA512
a39cd1beb18032ac1a171195a87aa056b41b9c40b3d3e3a6fe109e5fe835cb38e7c1573bc94112761274b85a571fd1a332a5fe1d88439e0e6a068df5c39b4297

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/756-33-0x00007FF9E8810000-0x00007FF9E92D2000-memory.dmp

Filesize
10.8MB

Download
memory/756-34-0x000000001AA50000-0x000000001AB5A000-memory.dmp

Filesize
1.0MB

Download
memory/756-84-0x00007FF9E8810000-0x00007FF9E92D2000-memory.dmp

Filesize
10.8MB

Download
memory/1488-71-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/1932-216-0x0000000007DB0000-0x0000000007DC8000-memory.dmp

Filesize
96KB

Download
memory/2228-8-0x0000000005690000-0x0000000005698000-memory.dmp

Filesize
32KB

Download
memory/2228-51-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2228-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2228-9-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/2228-7-0x0000000005680000-0x0000000005692000-memory.dmp

Filesize
72KB

Download
memory/2228-6-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/2228-5-0x0000000005C70000-0x0000000006216000-memory.dmp

Filesize
5.6MB

Download
memory/2228-4-0x0000000003030000-0x000000000308C000-memory.dmp

Filesize
368KB

Download
memory/2228-3-0x0000000074540000-0x0000000074CF1000-memory.dmp

Filesize
7.7MB

Download
memory/2228-2-0x0000000003020000-0x000000000302E000-memory.dmp

Filesize
56KB

Download
memory/2228-1-0x0000000000970000-0x0000000000A5C000-memory.dmp

Filesize
944KB

Download
memory/4144-27-0x00007FF9E8810000-0x00007FF9E92D2000-memory.dmp

Filesize
10.8MB

Download
memory/4144-31-0x00007FF9E8810000-0x00007FF9E92D2000-memory.dmp

Filesize
10.8MB

Download
memory/4144-23-0x00007FF9E8813000-0x00007FF9E8815000-memory.dmp

Filesize
8KB

Download
memory/4144-24-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/4144-25-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4144-26-0x00000000027E0000-0x000000000281C000-memory.dmp

Filesize
240KB

Download
memory/4164-172-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4340-56-0x00000000063D0000-0x00000000063E0000-memory.dmp

Filesize
64KB

Download
memory/4340-146-0x0000000004FA0000-0x0000000004FEA000-memory.dmp

Filesize
296KB

Download
memory/4340-78-0x0000000007690000-0x00000000076F6000-memory.dmp

Filesize
408KB

Download
memory/4340-110-0x0000000007280000-0x00000000072CA000-memory.dmp

Filesize
296KB

Download
memory/4340-57-0x0000000006A50000-0x0000000006A5A000-memory.dmp

Filesize
40KB

Download
memory/4340-117-0x0000000008410000-0x000000000846A000-memory.dmp

Filesize
360KB

Download
memory/4340-55-0x0000000006700000-0x00000000068C2000-memory.dmp

Filesize
1.8MB

Download
memory/4340-124-0x00000000072D0000-0x00000000072F6000-memory.dmp

Filesize
152KB

Download
memory/4340-83-0x00000000079B0000-0x0000000007ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4340-131-0x00000000085D0000-0x0000000008724000-memory.dmp

Filesize
1.3MB

Download
memory/4340-54-0x0000000006360000-0x0000000006378000-memory.dmp

Filesize
96KB

Download
memory/4340-137-0x00000000660C0000-0x000000006614F000-memory.dmp

Filesize
572KB

Download
memory/4340-145-0x0000000001390000-0x00000000014E2000-memory.dmp

Filesize
1.3MB

Download
memory/4340-103-0x0000000007230000-0x0000000007274000-memory.dmp

Filesize
272KB

Download
memory/4340-147-0x000000000B230000-0x000000000B296000-memory.dmp

Filesize
408KB

Download
memory/4340-150-0x0000000007070000-0x0000000007088000-memory.dmp

Filesize
96KB

Download
memory/4340-52-0x0000000005BA0000-0x0000000005BEE000-memory.dmp

Filesize
312KB

Download
memory/4340-79-0x0000000007D90000-0x00000000083A8000-memory.dmp

Filesize
6.1MB

Download
memory/4340-96-0x0000000007050000-0x0000000007066000-memory.dmp

Filesize
88KB

Download
memory/4340-168-0x000000000B630000-0x000000000B7B8000-memory.dmp

Filesize
1.5MB

Download
memory/4340-81-0x00000000077F0000-0x000000000782C000-memory.dmp

Filesize
240KB

Download
memory/4340-89-0x0000000007020000-0x000000000702C000-memory.dmp

Filesize
48KB

Download
memory/4340-175-0x00000000660C0000-0x000000006614F000-memory.dmp

Filesize
572KB

Download
memory/4340-80-0x0000000007790000-0x00000000077A2000-memory.dmp

Filesize
72KB

Download
memory/4340-82-0x0000000007830000-0x000000000787C000-memory.dmp

Filesize
304KB

Download