amadey | d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

Analysis

max time kernel
292s
max time network
297s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe
Size

241KB
MD5

3c0eaa80d5332030e07f85fbd5960044
SHA1

4f3495495a1eb31709949979dc78c23406eb9648
SHA256

d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA512

4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
SSDEEP

6144:6BizIWRzBlSIiLaliSMrf5ujpmzqaAl5LiS:6asaxMNujpcqae4S

Score

10^/10

amadey lgoogloader redline 5139967220 downloader evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.50

1h3art.me/i4kvjd3xc/index.php

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

5139967220

79.137.192.6:8362

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-650-0x0000000000BF0000-0x0000000000BFD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4044-547-0x000000000041972E-mapping.dmp	family_redline
behavioral2/memory/4044-583-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.exe

Executes dropped EXE 18 IoCs

Processes:

gntuud.exeAmadey.exerovwer.exe3000.exezzz.exezzz.exe1.exe1000.exegntuud.exerovwer.exegntuud.exerovwer.exegntuud.exerovwer.exegntuud.exerovwer.exegntuud.exerovwer.exe

pid	process
3940	gntuud.exe
4256	Amadey.exe
3068	rovwer.exe
2940	3000.exe
2768	zzz.exe
64	zzz.exe
4740	1.exe
4632	1000.exe
2288	gntuud.exe
2432	rovwer.exe
4336	gntuud.exe
4132	rovwer.exe
4072	gntuud.exe
2332	rovwer.exe
3636	gntuud.exe
4484	rovwer.exe
4144	gntuud.exe
388	rovwer.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	1.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe	upx
behavioral2/memory/2768-459-0x0000000001210000-0x00000000019F2000-memory.dmp	upx
behavioral2/memory/2768-461-0x0000000001210000-0x00000000019F2000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe	upx
behavioral2/memory/64-466-0x00000000002E0000-0x0000000000AC2000-memory.dmp	upx
behavioral2/memory/64-469-0x00000000002E0000-0x0000000000AC2000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exegntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\zzz.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000215001\\zzz.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000216001\\1.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\1000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000217001\\1000.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amadey.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\Amadey.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\3000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000212001\\3000.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\zzz.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000214001\\zzz.exe"	rovwer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1000.exe1.exe

description pid process target process

PID 4632 set thread context of 4044 4632 1000.exe vbc.exe
PID 4740 set thread context of 1180 4740 1.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4616 4632 WerFault.exe 1000.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4488 schtasks.exe
2644 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exevbc.exe

pid process

3992 powershell.exe
3992 powershell.exe
3992 powershell.exe
4044 vbc.exe
4044 vbc.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

1.exe

pid process

4740 1.exe

description	pid	process	target process
PID 4632 set thread context of 4044	4632	1000.exe	vbc.exe
PID 4740 set thread context of 1180	4740	1.exe	CasPol.exe

pid	pid_target	process	target process
4616	4632	WerFault.exe	1000.exe

pid	process
4488	schtasks.exe
2644	schtasks.exe

pid	process
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
4044	vbc.exe
4044	vbc.exe

pid	process
4740	1.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

1.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4740	1.exe
Token: SeLoadDriverPrivilege	4740	1.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe
Token: 34	3992	powershell.exe
Token: 35	3992	powershell.exe
Token: 36	3992	powershell.exe
Token: SeDebugPrivilege	4044	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exegntuud.exeAmadey.exerovwer.execmd.exezzz.execmd.exezzz.execmd.exe1.exe1000.exe

description	pid	process	target process
PID 1968 wrote to memory of 3940	1968	d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe	gntuud.exe
PID 1968 wrote to memory of 3940	1968	d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe	gntuud.exe
PID 1968 wrote to memory of 3940	1968	d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe	gntuud.exe
PID 3940 wrote to memory of 4488	3940	gntuud.exe	schtasks.exe
PID 3940 wrote to memory of 4488	3940	gntuud.exe	schtasks.exe
PID 3940 wrote to memory of 4488	3940	gntuud.exe	schtasks.exe
PID 3940 wrote to memory of 4256	3940	gntuud.exe	Amadey.exe
PID 3940 wrote to memory of 4256	3940	gntuud.exe	Amadey.exe
PID 3940 wrote to memory of 4256	3940	gntuud.exe	Amadey.exe
PID 4256 wrote to memory of 3068	4256	Amadey.exe	rovwer.exe
PID 4256 wrote to memory of 3068	4256	Amadey.exe	rovwer.exe
PID 4256 wrote to memory of 3068	4256	Amadey.exe	rovwer.exe
PID 3068 wrote to memory of 2644	3068	rovwer.exe	schtasks.exe
PID 3068 wrote to memory of 2644	3068	rovwer.exe	schtasks.exe
PID 3068 wrote to memory of 2644	3068	rovwer.exe	schtasks.exe
PID 3068 wrote to memory of 3112	3068	rovwer.exe	cmd.exe
PID 3068 wrote to memory of 3112	3068	rovwer.exe	cmd.exe
PID 3068 wrote to memory of 3112	3068	rovwer.exe	cmd.exe
PID 3112 wrote to memory of 1156	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 1156	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 1156	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 680	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 680	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 680	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 1776	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 1776	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 1776	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 2280	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 2280	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 2280	3112	cmd.exe	cmd.exe
PID 3112 wrote to memory of 1728	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 1728	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 1728	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 2204	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 2204	3112	cmd.exe	cacls.exe
PID 3112 wrote to memory of 2204	3112	cmd.exe	cacls.exe
PID 3068 wrote to memory of 2940	3068	rovwer.exe	3000.exe
PID 3068 wrote to memory of 2940	3068	rovwer.exe	3000.exe
PID 3068 wrote to memory of 2940	3068	rovwer.exe	3000.exe
PID 3068 wrote to memory of 2768	3068	rovwer.exe	zzz.exe
PID 3068 wrote to memory of 2768	3068	rovwer.exe	zzz.exe
PID 2768 wrote to memory of 4288	2768	zzz.exe	cmd.exe
PID 2768 wrote to memory of 4288	2768	zzz.exe	cmd.exe
PID 4288 wrote to memory of 4772	4288	cmd.exe	choice.exe
PID 4288 wrote to memory of 4772	4288	cmd.exe	choice.exe
PID 3068 wrote to memory of 64	3068	rovwer.exe	zzz.exe
PID 3068 wrote to memory of 64	3068	rovwer.exe	zzz.exe
PID 64 wrote to memory of 2112	64	zzz.exe	cmd.exe
PID 64 wrote to memory of 2112	64	zzz.exe	cmd.exe
PID 2112 wrote to memory of 8	2112	cmd.exe	choice.exe
PID 2112 wrote to memory of 8	2112	cmd.exe	choice.exe
PID 3068 wrote to memory of 4740	3068	rovwer.exe	1.exe
PID 3068 wrote to memory of 4740	3068	rovwer.exe	1.exe
PID 3068 wrote to memory of 4632	3068	rovwer.exe	1000.exe
PID 3068 wrote to memory of 4632	3068	rovwer.exe	1000.exe
PID 3068 wrote to memory of 4632	3068	rovwer.exe	1000.exe
PID 4740 wrote to memory of 3992	4740	1.exe	powershell.exe
PID 4740 wrote to memory of 3992	4740	1.exe	powershell.exe
PID 4632 wrote to memory of 4044	4632	1000.exe	vbc.exe
PID 4632 wrote to memory of 4044	4632	1000.exe	vbc.exe
PID 4632 wrote to memory of 4044	4632	1000.exe	vbc.exe
PID 4632 wrote to memory of 4044	4632	1000.exe	vbc.exe
PID 4632 wrote to memory of 4044	4632	1000.exe	vbc.exe
PID 4740 wrote to memory of 1180	4740	1.exe	CasPol.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.exe

C:\Users\Admin\AppData\Local\Temp\d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe
"C:\Users\Admin\AppData\Local\Temp\d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:4488

C:\Users\Admin\AppData\Local\Temp\1000001001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\Amadey.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
5⤵
- Creates scheduled task(s)
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1156

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
6⤵
PID:680

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
6⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2280

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
6⤵
PID:1728

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
6⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe
"C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe"
5⤵
- Executes dropped EXE
PID:2940

C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
7⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
7⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Sets service image path in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe" -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe
"C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 356
6⤵
- Program crash
PID:4616

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\Amadey.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\Amadey.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe
Filesize
2.4MB

MD5
77181eb9385b899f4bce3387a2efe18c

SHA1
68488c2d2aae96c6f552bcddb81e198b0390312a

SHA256
e18597f8343d2752ecfea69c4615ea58f37d948ee5d0741791410fb2a4827b1b

SHA512
3d034f0b238ad5da850d38f3f247693415ca1773aab84f25c32d500864d7a11b8385d2c5da45a19950c5cdad9664963af85ae13d48da7fceee895d847f94eeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe
Filesize
485KB

MD5
197cc0b311afc440dd150387e68bf49f

SHA1
78434666b854de78dfbfb253e66644865d324586

SHA256
d0f5a3be9ab80e06600ffcb13d897f325b7c8737b895223b3b7e03ecc79abbca

SHA512
93e805b0956a69a2f9bcabd059bafef689a82aa8654a71bf56d9834db9a5d1904aca34178e02b47f85b6bbac3b4430209dc989071e50c1d63c152daeb5052fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe
Filesize
485KB

MD5
197cc0b311afc440dd150387e68bf49f

SHA1
78434666b854de78dfbfb253e66644865d324586

SHA256
d0f5a3be9ab80e06600ffcb13d897f325b7c8737b895223b3b7e03ecc79abbca

SHA512
93e805b0956a69a2f9bcabd059bafef689a82aa8654a71bf56d9834db9a5d1904aca34178e02b47f85b6bbac3b4430209dc989071e50c1d63c152daeb5052fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe
Filesize
182KB

MD5
75e4e9080625c45150fb0c729677203e

SHA1
c31559bf53e9be7501c6fcad32ad29368d514e7d

SHA256
081efe08a54211147b7fb7f7dafba081da5ca5c0902f741003c4e4374e773869

SHA512
fcb0e13c5e3e1bf54dcb22470fc83097dffffd191e6f112595e0338b0a9f33dd45feb774a94dc8a00f35c09970d671a057ff5bd646541872abe8f26aa791bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe
Filesize
182KB

MD5
75e4e9080625c45150fb0c729677203e

SHA1
c31559bf53e9be7501c6fcad32ad29368d514e7d

SHA256
081efe08a54211147b7fb7f7dafba081da5ca5c0902f741003c4e4374e773869

SHA512
fcb0e13c5e3e1bf54dcb22470fc83097dffffd191e6f112595e0338b0a9f33dd45feb774a94dc8a00f35c09970d671a057ff5bd646541872abe8f26aa791bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe
Filesize
241KB

MD5
3c0eaa80d5332030e07f85fbd5960044

SHA1
4f3495495a1eb31709949979dc78c23406eb9648

SHA256
d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890

SHA512
4380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
memory/8-468-0x0000000000000000-mapping.dmp

Download
memory/64-463-0x0000000000000000-mapping.dmp

Download
memory/64-466-0x00000000002E0000-0x0000000000AC2000-memory.dmp

Filesize
7.9MB

Download
memory/64-469-0x00000000002E0000-0x0000000000AC2000-memory.dmp

Filesize
7.9MB

Download
memory/680-363-0x0000000000000000-mapping.dmp

Download
memory/1156-354-0x0000000000000000-mapping.dmp

Download
memory/1180-589-0x0000000000403BA0-mapping.dmp

Download
memory/1180-646-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1180-650-0x0000000000BF0000-0x0000000000BFD000-memory.dmp

Filesize
52KB

Download
memory/1180-648-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/1728-395-0x0000000000000000-mapping.dmp

Download
memory/1776-378-0x0000000000000000-mapping.dmp

Download
memory/1968-148-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-132-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-155-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-117-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-157-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-158-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-159-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-118-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-153-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-119-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-120-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-121-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-122-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-123-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-124-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-125-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-152-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-126-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-127-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-128-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-129-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-130-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-131-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-141-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-154-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-133-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-156-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-140-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-151-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-134-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-150-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-116-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-149-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-135-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-136-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-147-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-146-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-137-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-138-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-145-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-144-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-143-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-139-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-142-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/2112-467-0x0000000000000000-mapping.dmp

Download
memory/2204-421-0x0000000000000000-mapping.dmp

Download
memory/2280-392-0x0000000000000000-mapping.dmp

Download
memory/2644-333-0x0000000000000000-mapping.dmp

Download
memory/2768-456-0x0000000000000000-mapping.dmp

Download
memory/2768-459-0x0000000001210000-0x00000000019F2000-memory.dmp

Filesize
7.9MB

Download
memory/2768-461-0x0000000001210000-0x00000000019F2000-memory.dmp

Filesize
7.9MB

Download
memory/2940-435-0x0000000000000000-mapping.dmp

Download
memory/3068-286-0x0000000000000000-mapping.dmp

Download
memory/3112-336-0x0000000000000000-mapping.dmp

Download
memory/3940-170-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-160-0x0000000000000000-mapping.dmp

Download
memory/3940-182-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-178-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-177-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-176-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-174-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-175-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-173-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-172-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-179-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-167-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-171-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-162-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-180-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-166-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-181-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-165-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-163-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-164-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-169-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3992-511-0x000001142FA70000-0x000001142FAE6000-memory.dmp

Filesize
472KB

Download
memory/3992-508-0x000001142F760000-0x000001142F782000-memory.dmp

Filesize
136KB

Download
memory/3992-503-0x0000000000000000-mapping.dmp

Download
memory/4044-583-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4044-614-0x0000000009690000-0x00000000096CE000-memory.dmp

Filesize
248KB

Download
memory/4044-600-0x0000000009630000-0x0000000009642000-memory.dmp

Filesize
72KB

Download
memory/4044-651-0x00000000096D0000-0x000000000971B000-memory.dmp

Filesize
300KB

Download
memory/4044-653-0x0000000009930000-0x0000000009A3A000-memory.dmp

Filesize
1.0MB

Download
memory/4044-594-0x0000000009BA0000-0x000000000A1A6000-memory.dmp

Filesize
6.0MB

Download
memory/4044-983-0x000000000B9F0000-0x000000000BEEE000-memory.dmp

Filesize
5.0MB

Download
memory/4044-547-0x000000000041972E-mapping.dmp

Download
memory/4044-986-0x000000000AE70000-0x000000000AF02000-memory.dmp

Filesize
584KB

Download
memory/4044-987-0x000000000AF10000-0x000000000AF86000-memory.dmp

Filesize
472KB

Download
memory/4044-991-0x000000000B570000-0x000000000B58E000-memory.dmp

Filesize
120KB

Download
memory/4044-874-0x000000000A8C0000-0x000000000AA82000-memory.dmp

Filesize
1.8MB

Download
memory/4044-875-0x000000000AFC0000-0x000000000B4EC000-memory.dmp

Filesize
5.2MB

Download
memory/4044-971-0x000000000AB00000-0x000000000AB66000-memory.dmp

Filesize
408KB

Download
memory/4256-239-0x0000000000000000-mapping.dmp

Download
memory/4288-460-0x0000000000000000-mapping.dmp

Download
memory/4488-207-0x0000000000000000-mapping.dmp

Download
memory/4632-474-0x0000000000000000-mapping.dmp

Download
memory/4740-479-0x000002A789D50000-0x000002A789DCA000-memory.dmp

Filesize
488KB

Download
memory/4740-473-0x000002A788030000-0x000002A7880AE000-memory.dmp

Filesize
504KB

Download
memory/4740-470-0x0000000000000000-mapping.dmp

Download
memory/4772-462-0x0000000000000000-mapping.dmp

Download