0d715978543633d8b2eb9661c08c2c93f039418eb0754985c6a89e120270d114

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
Size

7.8MB
MD5

627bff73b072ecc872edc7aa2572dfb2
SHA1

8cc229ae419780ca37fd28087e959a9f4574840a
SHA256

0d715978543633d8b2eb9661c08c2c93f039418eb0754985c6a89e120270d114
SHA512

0929a1cf0a64aa4458d1ffa1abcb9b8167ce0b48ae44c56647ba9329eefc176df025667a2280132d8912167e386ce8a8ab208ca59295885980721c6b7f95827e
SSDEEP

98304:HoqTB3Yle8vH5+pO5xLAqI+lBqyZyaUCQcyaEoA2M4dwqtTysyXVS4bGpCYP7T4X:f4eDpO7L6eQygaLpCYP71Hy9

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2420	esszvidlag.exe
2752	itnvjrmncf.exe
1284	SearchUserHost.exe
1200	Explorer.EXE
436	bindsvc.exe

Loads dropped DLL 12 IoCs

pid	Process
1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
2720	SearchIndexer.exe
2720	SearchIndexer.exe
2720	SearchIndexer.exe
1284	SearchUserHost.exe
1616	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2752	itnvjrmncf.exe
2752	itnvjrmncf.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2052	cmd.exe
2928	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wimsvc.exe	itnvjrmncf.exe
File created	C:\Windows\SysWOW64\racfg.exe	itnvjrmncf.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\System32\bindsvc.exe	itnvjrmncf.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	itnvjrmncf.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	itnvjrmncf.exe
File created	C:\Windows\system32\msfte.dll	itnvjrmncf.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\oci.dll	itnvjrmncf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File created	C:\Windows\SysWOW64\wideshut.exe	itnvjrmncf.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2996	tasklist.exe
1696	tasklist.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d0c-17.dat	upx
behavioral1/memory/1664-16-0x0000000003370000-0x00000000034EA000-memory.dmp	upx
behavioral1/memory/2752-279-0x0000000000DF0000-0x0000000000F6A000-memory.dmp	upx
behavioral1/memory/2752-305-0x0000000000DF0000-0x0000000000F6A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2000	sc.exe
1812	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itnvjrmncf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2196	cmd.exe
700	PING.EXE

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2124	NETSTAT.EXE
2992	cmd.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2124	NETSTAT.EXE
2776	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2480	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
700	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2720	SearchIndexer.exe
2720	SearchIndexer.exe
1284	SearchUserHost.exe
2996	tasklist.exe
2996	tasklist.exe
2752	itnvjrmncf.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2720	SearchIndexer.exe
Token: 33	2720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2720	SearchIndexer.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	2124	NETSTAT.EXE
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe
Token: SeDebugPrivilege	1284	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1616	SearchProtocolHost.exe
1616	SearchProtocolHost.exe
1616	SearchProtocolHost.exe
1616	SearchProtocolHost.exe
1616	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
2304	SearchProtocolHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe
1284	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2420	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	30
PID 1664 wrote to memory of 2420	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	30
PID 1664 wrote to memory of 2420	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	30
PID 1664 wrote to memory of 2420	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	30
PID 1664 wrote to memory of 2752	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	31
PID 1664 wrote to memory of 2752	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	31
PID 1664 wrote to memory of 2752	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	31
PID 1664 wrote to memory of 2752	1664	2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe	31
PID 2720 wrote to memory of 1284	2720	SearchIndexer.exe	33
PID 2720 wrote to memory of 1284	2720	SearchIndexer.exe	33
PID 2720 wrote to memory of 1284	2720	SearchIndexer.exe	33
PID 1284 wrote to memory of 1200	1284	SearchUserHost.exe	21
PID 1200 wrote to memory of 2676	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2676	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2676	1200	Explorer.EXE	34
PID 1284 wrote to memory of 2780	1284	SearchUserHost.exe	35
PID 1284 wrote to memory of 2780	1284	SearchUserHost.exe	35
PID 1284 wrote to memory of 2780	1284	SearchUserHost.exe	35
PID 2780 wrote to memory of 2480	2780	cmd.exe	37
PID 2780 wrote to memory of 2480	2780	cmd.exe	37
PID 2780 wrote to memory of 2480	2780	cmd.exe	37
PID 2720 wrote to memory of 1616	2720	SearchIndexer.exe	39
PID 2720 wrote to memory of 1616	2720	SearchIndexer.exe	39
PID 2720 wrote to memory of 1616	2720	SearchIndexer.exe	39
PID 1200 wrote to memory of 2460	1200	Explorer.EXE	40
PID 1200 wrote to memory of 2460	1200	Explorer.EXE	40
PID 1200 wrote to memory of 2460	1200	Explorer.EXE	40
PID 2720 wrote to memory of 1372	2720	SearchIndexer.exe	41
PID 2720 wrote to memory of 1372	2720	SearchIndexer.exe	41
PID 2720 wrote to memory of 1372	2720	SearchIndexer.exe	41
PID 2720 wrote to memory of 2304	2720	SearchIndexer.exe	42
PID 2720 wrote to memory of 2304	2720	SearchIndexer.exe	42
PID 2720 wrote to memory of 2304	2720	SearchIndexer.exe	42
PID 1284 wrote to memory of 2500	1284	SearchUserHost.exe	44
PID 1284 wrote to memory of 2500	1284	SearchUserHost.exe	44
PID 1284 wrote to memory of 2500	1284	SearchUserHost.exe	44
PID 2500 wrote to memory of 2996	2500	cmd.exe	46
PID 2500 wrote to memory of 2996	2500	cmd.exe	46
PID 2500 wrote to memory of 2996	2500	cmd.exe	46
PID 1284 wrote to memory of 2992	1284	SearchUserHost.exe	47
PID 1284 wrote to memory of 2992	1284	SearchUserHost.exe	47
PID 1284 wrote to memory of 2992	1284	SearchUserHost.exe	47
PID 2992 wrote to memory of 2124	2992	cmd.exe	49
PID 2992 wrote to memory of 2124	2992	cmd.exe	49
PID 2992 wrote to memory of 2124	2992	cmd.exe	49
PID 1284 wrote to memory of 2636	1284	SearchUserHost.exe	50
PID 1284 wrote to memory of 2636	1284	SearchUserHost.exe	50
PID 1284 wrote to memory of 2636	1284	SearchUserHost.exe	50
PID 2636 wrote to memory of 2776	2636	cmd.exe	52
PID 2636 wrote to memory of 2776	2636	cmd.exe	52
PID 2636 wrote to memory of 2776	2636	cmd.exe	52
PID 1284 wrote to memory of 2228	1284	SearchUserHost.exe	53
PID 1284 wrote to memory of 2228	1284	SearchUserHost.exe	53
PID 1284 wrote to memory of 2228	1284	SearchUserHost.exe	53
PID 2228 wrote to memory of 1476	2228	cmd.exe	55
PID 2228 wrote to memory of 1476	2228	cmd.exe	55
PID 2228 wrote to memory of 1476	2228	cmd.exe	55
PID 1284 wrote to memory of 2052	1284	SearchUserHost.exe	56
PID 1284 wrote to memory of 2052	1284	SearchUserHost.exe	56
PID 1284 wrote to memory of 2052	1284	SearchUserHost.exe	56
PID 2052 wrote to memory of 2928	2052	cmd.exe	58
PID 2052 wrote to memory of 2928	2052	cmd.exe	58
PID 2052 wrote to memory of 2928	2052	cmd.exe	58
PID 1284 wrote to memory of 2032	1284	SearchUserHost.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\esszvidlag.exe
    "C:\Users\Admin\AppData\Local\Temp\esszvidlag.exe" "C:\Users\Admin\AppData\Local\Temp\ernlempnsz.exe" "C:\Users\Admin\AppData\Local\Temp\2025-03-30_627bff73b072ecc872edc7aa2572dfb2_amadey_rhadamanthys_smoke-loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\itnvjrmncf.exe
    C:\Users\Admin\AppData\Local\Temp\itnvjrmncf.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2752
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      PID:2524
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:2000
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\RtglwYfa.bat"
      4⤵
      PID:1052
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:436
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:2676
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:2460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2480
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2124
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2776
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2928
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    PID:2032
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:2492
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:2148
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2196
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:700
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:824
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:1812
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
  2⤵
  - Modifies data under HKEY_USERS
  PID:1372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
51da34a4f22540e7676f7e66bbb3d544

SHA1
963a8594079797affc9f8761097d2923fbdaaa79

SHA256
9f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6

SHA512
33cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDEIN~1.ZIP

Filesize
16KB

MD5
b45b6e93ebedacb5000d75afa46c1748

SHA1
16a5b5e6609a38b011b8c2652bc2a92c4cea2c48

SHA256
a97402315c5888fba9cf2a5a0b67838db940d088344c13d29063f87fcda6520b

SHA512
83779c667b62b4dc682bcfd7a60c0e3465de7c9e05509d0299b2221ab59b92651ae2ac981b21bc177577b142e9dbf15be5a9165b5ed22f6f4a01056cf078417b

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGIST~1.ZIP

Filesize
16KB

MD5
308e16394ea2802c0fd24ec2f997598c

SHA1
3e5f72d273f6b7169d73829253841debca618db3

SHA256
9756934d257476f6135430efc947c5f3ab16e73878133a250e59241b643b4f0a

SHA512
d326cd7f7bb6e5cf52f22cd342d90ef7ae5faa2965f1bea79c2f0d70bad8dd715ce0f2732e4fff108cce9bfdcc1836f91ab256fdce4266bd72ae73639fd6fe96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtglwYfa.bat

Filesize
196B

MD5
9ad7615e39ec424569ccd6befd3b4990

SHA1
78f419a8aefc3fdf800aa43579aff595cbdfa115

SHA256
aad663a071988e81a41fe336559fda73b9085b728da17e92662c54144bba1a7e

SHA512
f39e5fc65f390c22405c94adc115536726eb1c0254ddca0edaa85a664fd1bcc3e214678ad92e68a38515f7de6e1f2b0173992fa0c261a363a4cb5593b6928c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\itnvjrmncf.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
2KB

MD5
401fc5384c4c19df7eae2e9be076ceab

SHA1
2d89c9a6a6fe95c5d2034ee27354da75d3669ead

SHA256
57d0699b7ed07f7721efce74725af9516fd02d405b12420708e66a70004ae24d

SHA512
dc1aea9cf0cc25743d23970fb09b795c178d006e40e671914a40a0804ec8c15da385138d796563d187940dafb623a39cf5f9d5db3ead96c8772f9429088513df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
882B

MD5
178722574f1d9b15f15f5f5f4c33dc9a

SHA1
4952954b6e6434fd51cf7ef68298e6b749c9a7f5

SHA256
5c73eb72cc74a0acab5247128ccd86c91435a9cfe4cd9f0ee5c396ad3d35f92f

SHA512
ee334aa68940a5a06a2673a31b05594b03cd3494ca344984427ad5c01c04cc5f88e1a91ee98ce55989dd8dafe62cd99fe78e5446da3576734585d3959b5d75ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\HideInitialize.txt

Filesize
5KB

MD5
2afaeffcf099998c4a80f2751f10220a

SHA1
2f96baee4134a7f1fb1fb00b5b52a2ce496b2949

SHA256
acb4b824d7db2f1a4bca0c15a3a54539979161d9546fd93b5c8ea6ba4a259a86

SHA512
01cdd858dae153509ef81bb8e012ba8f383ea9ceb461224bde109c40cef99c6e701e086a06908aa4710f6ee24aab3416a00889dcc8cb6d98e4376ef71e69a4c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\RegisterAssert.txt

Filesize
5KB

MD5
afa5da9a91784accd5b95eafa41a35dc

SHA1
29f80804ab94098a622adde97808d9fa93524cd0

SHA256
f9de208e067d91a692afbe8c3953f86a4532adda99841d14ee926a92f2b6724f

SHA512
c141ff7faa0a86ec9b43ed7c56309207d7d8fb99150b7f23d1dfd104d5f2d6ee1ffe1c0da68672ceb325ce97fc3761b2a2893f47b8964d4fee37f758baaa3e84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs

Filesize
1KB

MD5
3439318cedcf37c1bf5fe6d49ddbb2cb

SHA1
e075965bb3b38abdd80668fb6101a0d10b30f080

SHA256
6484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8

SHA512
3dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61

Download Submit
C:\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
C:\Windows\system32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Users\Admin\AppData\Local\Temp\esszvidlag.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
memory/1200-34-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1664-16-0x0000000003370000-0x00000000034EA000-memory.dmp

Filesize
1.5MB

Download
memory/2720-287-0x00000000033A0000-0x00000000033A8000-memory.dmp

Filesize
32KB

Download
memory/2720-382-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2720-171-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/2720-173-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2720-182-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

Filesize
32KB

Download
memory/2720-52-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/2720-161-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2720-384-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/2720-70-0x0000000001970000-0x0000000001980000-memory.dmp

Filesize
64KB

Download
memory/2720-148-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/2720-360-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/2720-370-0x00000000039B0000-0x00000000039B8000-memory.dmp

Filesize
32KB

Download
memory/2720-362-0x00000000039C0000-0x00000000039C8000-memory.dmp

Filesize
32KB

Download
memory/2720-363-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2752-279-0x0000000000DF0000-0x0000000000F6A000-memory.dmp

Filesize
1.5MB

Download
memory/2752-305-0x0000000000DF0000-0x0000000000F6A000-memory.dmp

Filesize
1.5MB

Download