amadey | c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559

Analysis

max time kernel
153s
max time network
156s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
Size

168KB
MD5

f9826a77de96525218618519abd65747
SHA1

84495c82d3180110bf80302f5d903606f314678e
SHA256

c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559
SHA512

6cfcb0c7bdcf313654f472ec8e45c32cecc6991813a2c7ea451215614e6ec2733d8e2b4a33db74c9e15241309dcfc24913e9f29ff5edc2e08a462404889c96c7
SSDEEP

3072:IpmFf6cDjuTSUPS5JWnpfuUa8Dw+fgZ95kEJIfaA2w1yk6p:hiMjGSURn0n8Dw88Jm1y

Score

10^/10

amadey redline smokeloader kript pops backdoor collection evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

77.73.134.65/o7VsjdSa2f/index.php

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

pops

31.41.244.14:4694

Attributes

auth_value
c377eb074ac3f12f85b0ff38d543b16d

Extracted

Family

redline

Botnet

KRIPT

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2124-148-0x00000000007A0000-0x00000000007A9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe	family_redline
behavioral1/memory/5008-1001-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/4064-1002-0x0000000000E40000-0x0000000000E68000-memory.dmp	family_redline
behavioral1/memory/3972-1228-0x000000000044C25E-mapping.dmp	family_redline
behavioral1/memory/3972-1273-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

6E69.exe

description pid process target process

PID 3508 created 2756 3508 6E69.exe taskhostw.exe
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

73 4564 rundll32.exe
76 856 rundll32.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3508 created 2756	3508	6E69.exe	taskhostw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

flow	pid	process
73	4564	rundll32.exe
76	856	rundll32.exe

Executes dropped EXE 12 IoCs

Processes:

6E69.exe81B4.exeBBEF.exeC1AD.exegntuud.exerovwer.exelaba.exesvchost.exelinda5.exerovwer.exewgftrjjgntuud.exe

pid	process
3508	6E69.exe
3220	81B4.exe
3044	BBEF.exe
4260	C1AD.exe
2452	gntuud.exe
4544	rovwer.exe
4064	laba.exe
3584	svchost.exe
4700	linda5.exe
4160	rovwer.exe
4984	wgftrjj
4348	gntuud.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Deletes itself 1 IoCs

Processes:

pid process

3064
Loads dropped DLL 5 IoCs

Processes:

6E69.exerundll32.exerundll32.exerundll32.exe

pid process

3508 6E69.exe
4456 rundll32.exe
4456 rundll32.exe
4564 rundll32.exe
856 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3064

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000142001\\linda5.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\laba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000141001\\laba.exe"	rovwer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

BBEF.exe6E69.exesvchost.exe

description	pid	process	target process
PID 3044 set thread context of 4484	3044	BBEF.exe	vbc.exe
PID 3508 set thread context of 5008	3508	6E69.exe	ngentask.exe
PID 3584 set thread context of 3972	3584	svchost.exe	jsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

920 3044 WerFault.exe BBEF.exe

pid	pid_target	process	target process
920	3044	WerFault.exe	BBEF.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2712 schtasks.exe
3364 schtasks.exe
Modifies registry class 1 IoCs

Processes:

linda5.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings linda5.exe

pid	process
2712	schtasks.exe
3364	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	linda5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe

pid	process
2124	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
2124	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064

pid	process
3064

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe

pid	process
2124	c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

jsc.exe

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	3972	jsc.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BBEF.exe81B4.exeC1AD.exe6E69.exegntuud.exe

description	pid	process	target process
PID 3064 wrote to memory of 3508	3064		6E69.exe
PID 3064 wrote to memory of 3508	3064		6E69.exe
PID 3064 wrote to memory of 3508	3064		6E69.exe
PID 3064 wrote to memory of 3220	3064		81B4.exe
PID 3064 wrote to memory of 3220	3064		81B4.exe
PID 3064 wrote to memory of 3220	3064		81B4.exe
PID 3064 wrote to memory of 3044	3064		BBEF.exe
PID 3064 wrote to memory of 3044	3064		BBEF.exe
PID 3064 wrote to memory of 3044	3064		BBEF.exe
PID 3064 wrote to memory of 4260	3064		C1AD.exe
PID 3064 wrote to memory of 4260	3064		C1AD.exe
PID 3064 wrote to memory of 4260	3064		C1AD.exe
PID 3064 wrote to memory of 2916	3064		explorer.exe
PID 3064 wrote to memory of 2916	3064		explorer.exe
PID 3064 wrote to memory of 2916	3064		explorer.exe
PID 3064 wrote to memory of 2916	3064		explorer.exe
PID 3044 wrote to memory of 4484	3044	BBEF.exe	vbc.exe
PID 3044 wrote to memory of 4484	3044	BBEF.exe	vbc.exe
PID 3044 wrote to memory of 4484	3044	BBEF.exe	vbc.exe
PID 3044 wrote to memory of 4484	3044	BBEF.exe	vbc.exe
PID 3064 wrote to memory of 5084	3064		explorer.exe
PID 3064 wrote to memory of 5084	3064		explorer.exe
PID 3064 wrote to memory of 5084	3064		explorer.exe
PID 3044 wrote to memory of 4484	3044	BBEF.exe	vbc.exe
PID 3064 wrote to memory of 3284	3064		explorer.exe
PID 3064 wrote to memory of 3284	3064		explorer.exe
PID 3064 wrote to memory of 3284	3064		explorer.exe
PID 3064 wrote to memory of 3284	3064		explorer.exe
PID 3064 wrote to memory of 4580	3064		explorer.exe
PID 3064 wrote to memory of 4580	3064		explorer.exe
PID 3064 wrote to memory of 4580	3064		explorer.exe
PID 3064 wrote to memory of 384	3064		explorer.exe
PID 3064 wrote to memory of 384	3064		explorer.exe
PID 3064 wrote to memory of 384	3064		explorer.exe
PID 3064 wrote to memory of 384	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 860	3064		explorer.exe
PID 3064 wrote to memory of 860	3064		explorer.exe
PID 3064 wrote to memory of 860	3064		explorer.exe
PID 3064 wrote to memory of 860	3064		explorer.exe
PID 3220 wrote to memory of 2452	3220	81B4.exe	gntuud.exe
PID 3220 wrote to memory of 2452	3220	81B4.exe	gntuud.exe
PID 3220 wrote to memory of 2452	3220	81B4.exe	gntuud.exe
PID 3064 wrote to memory of 2680	3064		explorer.exe
PID 3064 wrote to memory of 2680	3064		explorer.exe
PID 3064 wrote to memory of 2680	3064		explorer.exe
PID 3064 wrote to memory of 4592	3064		explorer.exe
PID 3064 wrote to memory of 4592	3064		explorer.exe
PID 3064 wrote to memory of 4592	3064		explorer.exe
PID 3064 wrote to memory of 4592	3064		explorer.exe
PID 4260 wrote to memory of 4544	4260	C1AD.exe	rovwer.exe
PID 4260 wrote to memory of 4544	4260	C1AD.exe	rovwer.exe
PID 4260 wrote to memory of 4544	4260	C1AD.exe	rovwer.exe
PID 3508 wrote to memory of 5008	3508	6E69.exe	ngentask.exe
PID 3508 wrote to memory of 5008	3508	6E69.exe	ngentask.exe
PID 3508 wrote to memory of 5008	3508	6E69.exe	ngentask.exe
PID 3508 wrote to memory of 5008	3508	6E69.exe	ngentask.exe
PID 3508 wrote to memory of 5008	3508	6E69.exe	ngentask.exe
PID 2452 wrote to memory of 2712	2452	gntuud.exe	schtasks.exe
PID 2452 wrote to memory of 2712	2452	gntuud.exe	schtasks.exe
PID 2452 wrote to memory of 2712	2452	gntuud.exe	schtasks.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Local\Temp\c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe
"C:\Users\Admin\AppData\Local\Temp\c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124

C:\Users\Admin\AppData\Local\Temp\6E69.exe
C:\Users\Admin\AppData\Local\Temp\6E69.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\81B4.exe
C:\Users\Admin\AppData\Local\Temp\81B4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
PID:4564

C:\Users\Admin\AppData\Local\Temp\BBEF.exe
C:\Users\Admin\AppData\Local\Temp\BBEF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 256
2⤵
- Program crash
PID:920

C:\Users\Admin\AppData\Local\Temp\C1AD.exe
C:\Users\Admin\AppData\Local\Temp\C1AD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:3364

C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
"C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe"
3⤵
- Executes dropped EXE
PID:4064

C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\CJSFuUPf.cpl",
4⤵
PID:68

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CJSFuUPf.cpl",
5⤵
- Loads dropped DLL
PID:4456

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3284

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:384

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Roaming\wgftrjj
C:\Users\Admin\AppData\Roaming\wgftrjj
1⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
1⤵
- Executes dropped EXE
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
Filesize
137KB

MD5
9299834655f07e6896b1ff0b9e92c7b4

SHA1
acba1e9262b4aebf020758e30326afdc99c714ad

SHA256
fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

SHA512
7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
Filesize
137KB

MD5
9299834655f07e6896b1ff0b9e92c7b4

SHA1
acba1e9262b4aebf020758e30326afdc99c714ad

SHA256
fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

SHA512
7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
Filesize
1.6MB

MD5
57c3de4cf12bd20c8a37449d8d419ce0

SHA1
0454637f7482ef40ef9440f4f32fb59e9eeec1c8

SHA256
160646b715f02d6e3645cfdf3db83650bbe7b4961f0812d9e6481aef06c5d1fb

SHA512
9d4be05ca64e27b872099b8930443552931adc01ee75edc7f26c0961feffc02e7583c05fa10c63ea421e894bf51a54dd8b9137678d770b662951315b8e72eb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
Filesize
1.6MB

MD5
57c3de4cf12bd20c8a37449d8d419ce0

SHA1
0454637f7482ef40ef9440f4f32fb59e9eeec1c8

SHA256
160646b715f02d6e3645cfdf3db83650bbe7b4961f0812d9e6481aef06c5d1fb

SHA512
9d4be05ca64e27b872099b8930443552931adc01ee75edc7f26c0961feffc02e7583c05fa10c63ea421e894bf51a54dd8b9137678d770b662951315b8e72eb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
226KB

MD5
d264eff72e0fc5e1ba488a07b45b1cf7

SHA1
b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823

SHA256
e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35

SHA512
3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
226KB

MD5
d264eff72e0fc5e1ba488a07b45b1cf7

SHA1
b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823

SHA256
e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35

SHA512
3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
226KB

MD5
d264eff72e0fc5e1ba488a07b45b1cf7

SHA1
b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823

SHA256
e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35

SHA512
3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E69.exe
Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E69.exe
Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B4.exe
Filesize
780KB

MD5
d53cf9d2e7b6410bec5b8960643cbbc8

SHA1
55afb898ddcb5ef0af47ba7a82d8b820d7496dd6

SHA256
dfe955ab261dff65d5bfc3989342fb0bb9d4418485889a8b8062fef8eb5be708

SHA512
d5605e3f6160192b739aad221512307767d38984512f0dd917403daf9111f0d71c3305128fe0e0365cd5f180349146fba02006d646ae8793461459d6e2baa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B4.exe
Filesize
780KB

MD5
d53cf9d2e7b6410bec5b8960643cbbc8

SHA1
55afb898ddcb5ef0af47ba7a82d8b820d7496dd6

SHA256
dfe955ab261dff65d5bfc3989342fb0bb9d4418485889a8b8062fef8eb5be708

SHA512
d5605e3f6160192b739aad221512307767d38984512f0dd917403daf9111f0d71c3305128fe0e0365cd5f180349146fba02006d646ae8793461459d6e2baa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBEF.exe
Filesize
3.7MB

MD5
27b75158dcfeba6b3419bdbb15397584

SHA1
8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de

SHA256
a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4

SHA512
eb9acc530d9c20dc26a00489572fe5b21075181f5f25d6598ebd5292aef5bbce9c2dc89fac04201ea7ce5c5faec545e44c02e54356ae6dfda7d2f70255a930b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBEF.exe
Filesize
3.7MB

MD5
27b75158dcfeba6b3419bdbb15397584

SHA1
8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de

SHA256
a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4

SHA512
eb9acc530d9c20dc26a00489572fe5b21075181f5f25d6598ebd5292aef5bbce9c2dc89fac04201ea7ce5c5faec545e44c02e54356ae6dfda7d2f70255a930b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1AD.exe
Filesize
226KB

MD5
d264eff72e0fc5e1ba488a07b45b1cf7

SHA1
b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823

SHA256
e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35

SHA512
3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1AD.exe
Filesize
226KB

MD5
d264eff72e0fc5e1ba488a07b45b1cf7

SHA1
b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823

SHA256
e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35

SHA512
3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CJSFuUPf.cpl
Filesize
1.8MB

MD5
e9f31ed520cb7d8377ffd56d9b4bc9bc

SHA1
5771a75421efaaa792a6852934e1ae7c7f0bf293

SHA256
4ccbcc495a45c36a26e4ad432938fa95cde54175ae9ef65cbb234b7626eaa323

SHA512
dd1483188828aa44a55b9534f446f6efa36631afe7c978df5b63b8fb7c712b7d41e4cbcf2f68a090ae8282c29abe92cb8f39101e214394aef7561de946495c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
780KB

MD5
d53cf9d2e7b6410bec5b8960643cbbc8

SHA1
55afb898ddcb5ef0af47ba7a82d8b820d7496dd6

SHA256
dfe955ab261dff65d5bfc3989342fb0bb9d4418485889a8b8062fef8eb5be708

SHA512
d5605e3f6160192b739aad221512307767d38984512f0dd917403daf9111f0d71c3305128fe0e0365cd5f180349146fba02006d646ae8793461459d6e2baa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
780KB

MD5
d53cf9d2e7b6410bec5b8960643cbbc8

SHA1
55afb898ddcb5ef0af47ba7a82d8b820d7496dd6

SHA256
dfe955ab261dff65d5bfc3989342fb0bb9d4418485889a8b8062fef8eb5be708

SHA512
d5605e3f6160192b739aad221512307767d38984512f0dd917403daf9111f0d71c3305128fe0e0365cd5f180349146fba02006d646ae8793461459d6e2baa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe
Filesize
780KB

MD5
d53cf9d2e7b6410bec5b8960643cbbc8

SHA1
55afb898ddcb5ef0af47ba7a82d8b820d7496dd6

SHA256
dfe955ab261dff65d5bfc3989342fb0bb9d4418485889a8b8062fef8eb5be708

SHA512
d5605e3f6160192b739aad221512307767d38984512f0dd917403daf9111f0d71c3305128fe0e0365cd5f180349146fba02006d646ae8793461459d6e2baa1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
588KB

MD5
d49e448a724e46252a188f98c9a3a77d

SHA1
f8ceb531b7a3c3cf24ac1d0226958a558de52006

SHA256
29ea393b1332261816d4d474668796214647c9a4634d3fb5713f8f5612f0a3d6

SHA512
0c9c50a57b78daa4a07b57a671231e463bb02fdc226ac04807651ca56b0b6de72edf043e20b6257c1df92479cdae5ce72197e0294d187e7f87570dc630b097e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
588KB

MD5
d49e448a724e46252a188f98c9a3a77d

SHA1
f8ceb531b7a3c3cf24ac1d0226958a558de52006

SHA256
29ea393b1332261816d4d474668796214647c9a4634d3fb5713f8f5612f0a3d6

SHA512
0c9c50a57b78daa4a07b57a671231e463bb02fdc226ac04807651ca56b0b6de72edf043e20b6257c1df92479cdae5ce72197e0294d187e7f87570dc630b097e7

Download Submit
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll
Filesize
126KB

MD5
f6d14701e7c568254151e153f7763672

SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6

SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d

SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
C:\Users\Admin\AppData\Roaming\wgftrjj
Filesize
168KB

MD5
f9826a77de96525218618519abd65747

SHA1
84495c82d3180110bf80302f5d903606f314678e

SHA256
c508803962bc297b90c8e4dffcb2c9a939ed718b59c4ebd97b30adf5627c0559

SHA512
6cfcb0c7bdcf313654f472ec8e45c32cecc6991813a2c7ea451215614e6ec2733d8e2b4a33db74c9e15241309dcfc24913e9f29ff5edc2e08a462404889c96c7

Download Submit
\Users\Admin\AppData\Local\Temp\CJsfuUpf.cpl
Filesize
1.8MB

MD5
e9f31ed520cb7d8377ffd56d9b4bc9bc

SHA1
5771a75421efaaa792a6852934e1ae7c7f0bf293

SHA256
4ccbcc495a45c36a26e4ad432938fa95cde54175ae9ef65cbb234b7626eaa323

SHA512
dd1483188828aa44a55b9534f446f6efa36631afe7c978df5b63b8fb7c712b7d41e4cbcf2f68a090ae8282c29abe92cb8f39101e214394aef7561de946495c9c

Download Submit
\Users\Admin\AppData\Local\Temp\CJsfuUpf.cpl
Filesize
1.8MB

MD5
e9f31ed520cb7d8377ffd56d9b4bc9bc

SHA1
5771a75421efaaa792a6852934e1ae7c7f0bf293

SHA256
4ccbcc495a45c36a26e4ad432938fa95cde54175ae9ef65cbb234b7626eaa323

SHA512
dd1483188828aa44a55b9534f446f6efa36631afe7c978df5b63b8fb7c712b7d41e4cbcf2f68a090ae8282c29abe92cb8f39101e214394aef7561de946495c9c

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
182KB

MD5
17973bb96ee2ead17abcfcac36f8a8a3

SHA1
4963470c86f26d1dd9bca3507feba6bd9b917eab

SHA256
29e22083fb33e9e91f44e722877d69f261422f35e366971a2489d9f4d1005bb0

SHA512
ea1936fc9c774b1039ba6cf1811c807071c59c7946f4f6dd118af1e42a6e9d339bee89b325533e2b3beef86515d2c52d7787a5da0a5ca3709a57f55a943888a4

Download Submit
\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll
Filesize
126KB

MD5
f6d14701e7c568254151e153f7763672

SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6

SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d

SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/68-1096-0x0000000000000000-mapping.dmp

Download
memory/384-777-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/384-727-0x0000000000780000-0x00000000007A2000-memory.dmp

Filesize
136KB

Download
memory/384-392-0x0000000000000000-mapping.dmp

Download
memory/856-1442-0x0000000000000000-mapping.dmp

Download
memory/860-844-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/860-815-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/860-462-0x0000000000000000-mapping.dmp

Download
memory/2124-148-0x00000000007A0000-0x00000000007A9000-memory.dmp

Filesize
36KB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-146-0x00000000007C0000-0x000000000086E000-memory.dmp

Filesize
696KB

Download
memory/2124-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-783-0x00000000032A0000-0x00000000032A5000-memory.dmp

Filesize
20KB

Download
memory/2248-812-0x0000000003290000-0x0000000003299000-memory.dmp

Filesize
36KB

Download
memory/2248-426-0x0000000000000000-mapping.dmp

Download
memory/2248-1008-0x00000000032A0000-0x00000000032A5000-memory.dmp

Filesize
20KB

Download
memory/2452-500-0x0000000000000000-mapping.dmp

Download
memory/2452-1015-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2452-846-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2680-539-0x0000000000BF0000-0x0000000000BFD000-memory.dmp

Filesize
52KB

Download
memory/2680-504-0x0000000000000000-mapping.dmp

Download
memory/2680-534-0x0000000000E80000-0x0000000000E87000-memory.dmp

Filesize
28KB

Download
memory/2680-897-0x0000000000E80000-0x0000000000E87000-memory.dmp

Filesize
28KB

Download
memory/2712-860-0x0000000000000000-mapping.dmp

Download
memory/2916-869-0x00000000009B0000-0x00000000009B7000-memory.dmp

Filesize
28KB

Download
memory/2916-471-0x00000000009B0000-0x00000000009B7000-memory.dmp

Filesize
28KB

Download
memory/2916-292-0x0000000000000000-mapping.dmp

Download
memory/2916-528-0x00000000009A0000-0x00000000009AB000-memory.dmp

Filesize
44KB

Download
memory/3044-260-0x0000000000A90000-0x0000000000E3E000-memory.dmp

Filesize
3.7MB

Download
memory/3044-250-0x0000000000000000-mapping.dmp

Download
memory/3220-186-0x0000000000000000-mapping.dmp

Download
memory/3220-192-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-249-0x00000000024C0000-0x000000000251C000-memory.dmp

Filesize
368KB

Download
memory/3220-194-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-529-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3220-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-193-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-291-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3220-190-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3220-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3284-996-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/3284-674-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/3284-333-0x0000000000000000-mapping.dmp

Download
memory/3284-681-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/3364-928-0x0000000000000000-mapping.dmp

Download
memory/3508-925-0x0000000012590000-0x0000000012700000-memory.dmp

Filesize
1.4MB

Download
memory/3508-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-158-0x0000000000000000-mapping.dmp

Download
memory/3508-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-590-0x0000000012590000-0x0000000012700000-memory.dmp

Filesize
1.4MB

Download
memory/3508-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-308-0x0000000003020000-0x0000000003114000-memory.dmp

Filesize
976KB

Download
memory/3508-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-242-0x0000000003220000-0x00000000036F0000-memory.dmp

Filesize
4.8MB

Download
memory/3508-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-234-0x0000000003020000-0x0000000003114000-memory.dmp

Filesize
976KB

Download
memory/3508-185-0x0000000003220000-0x00000000036F0000-memory.dmp

Filesize
4.8MB

Download
memory/3508-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3508-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3584-1007-0x00000264963A0000-0x0000026496436000-memory.dmp

Filesize
600KB

Download
memory/3584-1013-0x0000026498410000-0x000002649849E000-memory.dmp

Filesize
568KB

Download
memory/3584-1003-0x0000000000000000-mapping.dmp

Download
memory/3972-1228-0x000000000044C25E-mapping.dmp

Download
memory/3972-1273-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3972-1342-0x0000000005240000-0x000000000527E000-memory.dmp

Filesize
248KB

Download
memory/4064-1002-0x0000000000E40000-0x0000000000E68000-memory.dmp

Filesize
160KB

Download
memory/4064-1239-0x0000000005750000-0x000000000585A000-memory.dmp

Filesize
1.0MB

Download
memory/4064-1346-0x0000000005AA0000-0x0000000005AEB000-memory.dmp

Filesize
300KB

Download
memory/4064-957-0x0000000000000000-mapping.dmp

Download
memory/4260-545-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4260-700-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4260-691-0x0000000002340000-0x000000000237E000-memory.dmp

Filesize
248KB

Download
memory/4260-482-0x0000000002340000-0x000000000237E000-memory.dmp

Filesize
248KB

Download
memory/4260-683-0x00000000008BA000-0x00000000008D9000-memory.dmp

Filesize
124KB

Download
memory/4260-476-0x00000000008BA000-0x00000000008D9000-memory.dmp

Filesize
124KB

Download
memory/4260-261-0x0000000000000000-mapping.dmp

Download
memory/4348-1356-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4456-1145-0x0000000000000000-mapping.dmp

Download
memory/4484-323-0x00000000004014B0-mapping.dmp

Download
memory/4544-927-0x0000000000AAA000-0x0000000000AC9000-memory.dmp

Filesize
124KB

Download
memory/4544-1065-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4544-1063-0x0000000000720000-0x000000000086A000-memory.dmp

Filesize
1.3MB

Download
memory/4544-1062-0x0000000000AAA000-0x0000000000AC9000-memory.dmp

Filesize
124KB

Download
memory/4544-669-0x0000000000000000-mapping.dmp

Download
memory/4544-929-0x0000000000720000-0x000000000086A000-memory.dmp

Filesize
1.3MB

Download
memory/4544-932-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4564-1357-0x0000000000000000-mapping.dmp

Download
memory/4580-397-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4580-843-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/4580-363-0x0000000000000000-mapping.dmp

Download
memory/4580-400-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/4592-544-0x0000000000000000-mapping.dmp

Download
memory/4592-847-0x0000000003370000-0x000000000337B000-memory.dmp

Filesize
44KB

Download
memory/4592-1014-0x0000000003380000-0x0000000003388000-memory.dmp

Filesize
32KB

Download
memory/4592-845-0x0000000003380000-0x0000000003388000-memory.dmp

Filesize
32KB

Download
memory/4700-1016-0x0000000000000000-mapping.dmp

Download
memory/5008-1286-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/5008-1001-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5008-1225-0x0000000005390000-0x0000000005996000-memory.dmp

Filesize
6.0MB

Download
memory/5084-311-0x0000000000000000-mapping.dmp

Download
memory/5084-335-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/5084-771-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/5084-338-0x0000000000DD0000-0x0000000000DDF000-memory.dmp

Filesize
60KB

Download

pid	process
3508	6E69.exe
4456	rundll32.exe
4456	rundll32.exe
4564	rundll32.exe
856	rundll32.exe