amadey | 3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05-08-2023 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000016d0a-96.exe
Size

232KB
MD5

743b5c9f6f5fbb5059346a2376985923
SHA1

f3d448aa71523d8684958845e8f6dfdf7d6a9b67
SHA256

3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd
SHA512

510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c
SSDEEP

3072:3vtV3ROZ6RDwrR3wMUzUVwQ3rInyRnIvPak3hhiHFSbuZhuNcZVKBzqm8LHIkbGB:ftV3euVz6rKyS3yHFHhuNcPKpwU+

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2280	pdates.exe
2704	faman.exe
2716	pdates.exe
1872	pdates.exe
3008	pdates.exe

Loads dropped DLL 7 IoCs

pid	Process
2608	0x0006000000016d0a-96.exe
2280	pdates.exe
3056	regsvr32.exe
1156	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\faman.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000025051\\faman.exe"	pdates.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2588	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2608	0x0006000000016d0a-96.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2280	2608	0x0006000000016d0a-96.exe	28
PID 2608 wrote to memory of 2280	2608	0x0006000000016d0a-96.exe	28
PID 2608 wrote to memory of 2280	2608	0x0006000000016d0a-96.exe	28
PID 2608 wrote to memory of 2280	2608	0x0006000000016d0a-96.exe	28
PID 2280 wrote to memory of 2588	2280	pdates.exe	29
PID 2280 wrote to memory of 2588	2280	pdates.exe	29
PID 2280 wrote to memory of 2588	2280	pdates.exe	29
PID 2280 wrote to memory of 2588	2280	pdates.exe	29
PID 2280 wrote to memory of 2428	2280	pdates.exe	31
PID 2280 wrote to memory of 2428	2280	pdates.exe	31
PID 2280 wrote to memory of 2428	2280	pdates.exe	31
PID 2280 wrote to memory of 2428	2280	pdates.exe	31
PID 2428 wrote to memory of 2252	2428	cmd.exe	33
PID 2428 wrote to memory of 2252	2428	cmd.exe	33
PID 2428 wrote to memory of 2252	2428	cmd.exe	33
PID 2428 wrote to memory of 2252	2428	cmd.exe	33
PID 2428 wrote to memory of 1320	2428	cmd.exe	34
PID 2428 wrote to memory of 1320	2428	cmd.exe	34
PID 2428 wrote to memory of 1320	2428	cmd.exe	34
PID 2428 wrote to memory of 1320	2428	cmd.exe	34
PID 2428 wrote to memory of 2892	2428	cmd.exe	35
PID 2428 wrote to memory of 2892	2428	cmd.exe	35
PID 2428 wrote to memory of 2892	2428	cmd.exe	35
PID 2428 wrote to memory of 2892	2428	cmd.exe	35
PID 2428 wrote to memory of 2596	2428	cmd.exe	36
PID 2428 wrote to memory of 2596	2428	cmd.exe	36
PID 2428 wrote to memory of 2596	2428	cmd.exe	36
PID 2428 wrote to memory of 2596	2428	cmd.exe	36
PID 2428 wrote to memory of 2836	2428	cmd.exe	37
PID 2428 wrote to memory of 2836	2428	cmd.exe	37
PID 2428 wrote to memory of 2836	2428	cmd.exe	37
PID 2428 wrote to memory of 2836	2428	cmd.exe	37
PID 2428 wrote to memory of 2844	2428	cmd.exe	38
PID 2428 wrote to memory of 2844	2428	cmd.exe	38
PID 2428 wrote to memory of 2844	2428	cmd.exe	38
PID 2428 wrote to memory of 2844	2428	cmd.exe	38
PID 2280 wrote to memory of 2704	2280	pdates.exe	40
PID 2280 wrote to memory of 2704	2280	pdates.exe	40
PID 2280 wrote to memory of 2704	2280	pdates.exe	40
PID 2280 wrote to memory of 2704	2280	pdates.exe	40
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2704 wrote to memory of 3056	2704	faman.exe	41
PID 2808 wrote to memory of 2716	2808	taskeng.exe	43
PID 2808 wrote to memory of 2716	2808	taskeng.exe	43
PID 2808 wrote to memory of 2716	2808	taskeng.exe	43
PID 2808 wrote to memory of 2716	2808	taskeng.exe	43
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2280 wrote to memory of 1156	2280	pdates.exe	46
PID 2808 wrote to memory of 1872	2808	taskeng.exe	47
PID 2808 wrote to memory of 1872	2808	taskeng.exe	47
PID 2808 wrote to memory of 1872	2808	taskeng.exe	47
PID 2808 wrote to memory of 1872	2808	taskeng.exe	47
PID 2808 wrote to memory of 3008	2808	taskeng.exe	48
PID 2808 wrote to memory of 3008	2808	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\0x0006000000016d0a-96.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000016d0a-96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:N"
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:R" /E
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:N"
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:R" /E
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\1000025051\faman.exe
    "C:\Users\Admin\AppData\Local\Temp\1000025051\faman.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /u G_YhMAeO.C /s
      4⤵
      Loads dropped DLL
      PID:3056
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1156

C:\Windows\system32\taskeng.exe
taskeng.exe {A599E505-F8AE-45C7-ABA0-DE738BE15C52} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000025051\faman.exe

Filesize
2.5MB

MD5
e1d2add4263bd1864f7e6911686247cb

SHA1
0d80e8d20a015a2243e16f4d49f81b1d4e9831b2

SHA256
262557cb12fb62cedd8e0256d845ac0cd2c087fed82a7cf3e78573f5b0f953ef

SHA512
5acd9cb8709b92b667ae4654c62b58644c85648dcfdcd1f3ff921aae12846df066a59e1d1352a4f84026dbf6ac7cf2abef1b416a23c12a1f310a2760924aaf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025051\faman.exe

Filesize
2.5MB

MD5
e1d2add4263bd1864f7e6911686247cb

SHA1
0d80e8d20a015a2243e16f4d49f81b1d4e9831b2

SHA256
262557cb12fb62cedd8e0256d845ac0cd2c087fed82a7cf3e78573f5b0f953ef

SHA512
5acd9cb8709b92b667ae4654c62b58644c85648dcfdcd1f3ff921aae12846df066a59e1d1352a4f84026dbf6ac7cf2abef1b416a23c12a1f310a2760924aaf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025051\faman.exe

Filesize
2.5MB

MD5
e1d2add4263bd1864f7e6911686247cb

SHA1
0d80e8d20a015a2243e16f4d49f81b1d4e9831b2

SHA256
262557cb12fb62cedd8e0256d845ac0cd2c087fed82a7cf3e78573f5b0f953ef

SHA512
5acd9cb8709b92b667ae4654c62b58644c85648dcfdcd1f3ff921aae12846df066a59e1d1352a4f84026dbf6ac7cf2abef1b416a23c12a1f310a2760924aaf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\G_YhMAeO.C

Filesize
2.4MB

MD5
86ed27f97783f47a2ccd529042117de6

SHA1
60e16cfd4b7d9700b5eca61059790ab2b77c2aa7

SHA256
73514aa180d5c145d511270bea11061e1c56b530b5dc20b25c13b77b553cc50a

SHA512
eac16d22276338f41b253b19f38ac6315a393a53a65cb893fb962b9312ba46ae82c2626dd78aadeca4ab4afd7f7c49c1ad486964aae1589ea30254b312a8359a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
\Users\Admin\AppData\Local\Temp\1000025051\faman.exe

Filesize
2.5MB

MD5
e1d2add4263bd1864f7e6911686247cb

SHA1
0d80e8d20a015a2243e16f4d49f81b1d4e9831b2

SHA256
262557cb12fb62cedd8e0256d845ac0cd2c087fed82a7cf3e78573f5b0f953ef

SHA512
5acd9cb8709b92b667ae4654c62b58644c85648dcfdcd1f3ff921aae12846df066a59e1d1352a4f84026dbf6ac7cf2abef1b416a23c12a1f310a2760924aaf7b

Download Submit
\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
232KB

MD5
743b5c9f6f5fbb5059346a2376985923

SHA1
f3d448aa71523d8684958845e8f6dfdf7d6a9b67

SHA256
3c01340745ceefc84969818dc24e3e766fca00df81d75a97e97a16f3af8db8fd

SHA512
510fdefcc9f72bc8b8395304a4137a85011bf2c7454b3ca37c42711899a4abb97507a9074bb35648b6c77b567e55a40b0676c4f5b5a4cdb2b1aa91a6eb94ff9c

Download Submit
\Users\Admin\AppData\Local\Temp\g_yhMAeO.c

Filesize
2.4MB

MD5
86ed27f97783f47a2ccd529042117de6

SHA1
60e16cfd4b7d9700b5eca61059790ab2b77c2aa7

SHA256
73514aa180d5c145d511270bea11061e1c56b530b5dc20b25c13b77b553cc50a

SHA512
eac16d22276338f41b253b19f38ac6315a393a53a65cb893fb962b9312ba46ae82c2626dd78aadeca4ab4afd7f7c49c1ad486964aae1589ea30254b312a8359a

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
memory/2608-53-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3056-81-0x0000000002050000-0x00000000022BF000-memory.dmp

Filesize
2.4MB

Download
memory/3056-89-0x0000000000390000-0x0000000000479000-memory.dmp

Filesize
932KB

Download
memory/3056-88-0x0000000000390000-0x0000000000479000-memory.dmp

Filesize
932KB

Download
memory/3056-85-0x0000000000390000-0x0000000000479000-memory.dmp

Filesize
932KB

Download
memory/3056-84-0x00000000024F0000-0x00000000025F2000-memory.dmp

Filesize
1.0MB

Download
memory/3056-80-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/3056-79-0x0000000002050000-0x00000000022BF000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads