Malware Analysis Report

2025-08-11 01:12

Sample ID 240325-b9l9kacg33
Target c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
SHA256 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
Tags
amadey risepro zgrat evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee

Threat Level: Known bad

The file c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee was found to be: Known bad.

Malicious Activity Summary

amadey risepro zgrat evasion persistence rat spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

Amadey

ZGRat

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 01:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 01:50

Reported

2024-03-25 01:53

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4392 created 2724 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Windows\System32\RuntimeBroker.exe

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97d2443fb7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\97d2443fb7.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wtoldkft = "C:\\Users\\Admin\\AppData\\Roaming\\Wtoldkft.exe" C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1280 wrote to memory of 4468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1280 wrote to memory of 4468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4468 wrote to memory of 3176 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4468 wrote to memory of 3176 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4468 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
PID 1244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
PID 1244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
PID 2748 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2748 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2748 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 1244 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 4940 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe
PID 4940 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe
PID 4940 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe
PID 1244 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 1244 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 1244 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4940 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 6132 wrote to memory of 5156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 6132 wrote to memory of 5156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4940 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4940 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4940 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 5156 wrote to memory of 5220 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5156 wrote to memory of 5220 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5156 wrote to memory of 5416 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5156 wrote to memory of 5416 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 4940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 4940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
PID 4940 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe
PID 4392 wrote to memory of 5872 N/A C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe

"C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe"

C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe

"C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe

"C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.216:57893 193.233.132.216 tcp
US 8.8.8.8:53 216.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 ruspyc.top udp
CH 85.114.96.4:80 ruspyc.top tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.96.114.85.in-addr.arpa udp
FR 163.5.215.125:80 163.5.215.125 tcp
US 8.8.8.8:53 125.215.5.163.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2068-0-0x0000000000C50000-0x00000000010FB000-memory.dmp

memory/2068-1-0x0000000077B14000-0x0000000077B16000-memory.dmp

memory/2068-2-0x0000000000C50000-0x00000000010FB000-memory.dmp

memory/2068-4-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/2068-3-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/2068-5-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/2068-6-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/2068-7-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/2068-8-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/2068-9-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/2068-10-0x0000000004F80000-0x0000000004F81000-memory.dmp

memory/2068-11-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/2068-16-0x0000000000C50000-0x00000000010FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 2bb882f05824de9a479e3b8351cdf58d
SHA1 153c24fd281341558e3c307a3c13fcf78a30071b
SHA256 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
SHA512 3742e1d6919e2f4c68f34bcebb43d189e7f28323a5a8fd4d081f12957fc319842c2592d191f99f4f28997ad566c67d7d4b75e42e657ce4ab4bca6ad89bc9001c

memory/1244-19-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/1244-20-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/1244-21-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/1244-23-0x0000000005310000-0x0000000005311000-memory.dmp

memory/1244-22-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/1244-26-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/1244-24-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/1244-25-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/1244-27-0x0000000005300000-0x0000000005301000-memory.dmp

memory/1244-29-0x0000000005320000-0x0000000005321000-memory.dmp

memory/1244-28-0x0000000005330000-0x0000000005331000-memory.dmp

memory/1244-30-0x0000000000950000-0x0000000000DFB000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/1244-43-0x0000000000950000-0x0000000000DFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vb5cxnpd.xkn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/220-53-0x00000216A08B0000-0x00000216A08D2000-memory.dmp

memory/220-54-0x00007FFEED210000-0x00007FFEEDCD1000-memory.dmp

memory/220-55-0x00000216A0920000-0x00000216A0930000-memory.dmp

memory/220-56-0x00000216A0920000-0x00000216A0930000-memory.dmp

memory/220-57-0x00000216A0920000-0x00000216A0930000-memory.dmp

memory/220-58-0x00000216A0920000-0x00000216A0930000-memory.dmp

memory/220-59-0x00000216A1720000-0x00000216A1732000-memory.dmp

memory/220-60-0x00000216A0900000-0x00000216A090A000-memory.dmp

memory/220-66-0x00007FFEED210000-0x00007FFEEDCD1000-memory.dmp

memory/1244-67-0x0000000000950000-0x0000000000DFB000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

MD5 0f1f137ec50935756eb506a1e7a24796
SHA1 163426991cd993b8590e3739cbaa500ddb258806
SHA256 6e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA512 c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d

memory/1244-95-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/2748-96-0x0000000000C10000-0x00000000010C4000-memory.dmp

memory/2748-100-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/2748-102-0x0000000005290000-0x0000000005291000-memory.dmp

memory/2748-99-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/2748-97-0x0000000000C10000-0x00000000010C4000-memory.dmp

memory/2748-98-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/2748-101-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/2748-103-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/2748-104-0x0000000005320000-0x0000000005321000-memory.dmp

memory/2748-106-0x0000000005310000-0x0000000005311000-memory.dmp

memory/2748-116-0x0000000000C10000-0x00000000010C4000-memory.dmp

memory/4940-118-0x00000000004C0000-0x0000000000974000-memory.dmp

memory/4940-119-0x00000000004C0000-0x0000000000974000-memory.dmp

memory/4940-121-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/4940-122-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/4940-120-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/4940-123-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/4940-124-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/4940-125-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/4940-126-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/4940-127-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/1244-128-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/3876-131-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-134-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/3876-135-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-136-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-137-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-138-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-139-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-140-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-141-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-142-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-143-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-144-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-145-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-146-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-147-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-148-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-149-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-150-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-151-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-153-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-152-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-154-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-155-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-156-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-157-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-158-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-159-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-160-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-161-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-162-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-163-0x0000000000400000-0x000000000090F000-memory.dmp

memory/3876-164-0x0000000000400000-0x000000000090F000-memory.dmp

memory/1244-165-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/4940-166-0x00000000004C0000-0x0000000000974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe

MD5 2763d20c2151f640cabffc4ae240c33f
SHA1 efa706682ada938daea3dd675fb303136b2e2310
SHA256 44e14f844afcc6aa16effc6c090efa62be7491bcfcec572b260199e31845da5b
SHA512 b29583c52db36be8dc45a745918f3a592978c15992ab1895806571ff28f1a574fd388207fd653f18a4b75fb4ccd597a27e7fc13d16fff59e43d771ad26395e81

memory/3220-186-0x0000000000C20000-0x0000000000FD0000-memory.dmp

memory/4940-187-0x00000000004C0000-0x0000000000974000-memory.dmp

memory/3220-188-0x0000000000C20000-0x0000000000FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe

MD5 90c738cebe2f8dda5d53e777ad286a43
SHA1 58daf4a99c9c148f38b3e6173d5f7ac01bcfaf16
SHA256 d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
SHA512 7b77c041a5e1548403db8f749c90209a5bb4a8c1c178003d7af2641f94e1745b6e89abadfed441dd41c492cd134863afb57353a918d94ce308b2884cfdf29620

memory/4392-208-0x0000000000840000-0x0000000000A94000-memory.dmp

memory/4392-209-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/4940-210-0x00000000004C0000-0x0000000000974000-memory.dmp

memory/4392-211-0x00000000013C0000-0x00000000013D0000-memory.dmp

memory/4392-212-0x0000000005A00000-0x0000000005C4E000-memory.dmp

memory/4392-213-0x0000000006230000-0x00000000067D4000-memory.dmp

memory/1244-216-0x0000000000950000-0x0000000000DFB000-memory.dmp

memory/4392-217-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-218-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-221-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-223-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-225-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-227-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-229-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-232-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-235-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-240-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-244-0x0000000005A00000-0x0000000005C48000-memory.dmp

memory/4392-246-0x0000000005A00000-0x0000000005C48000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8358e35f7233f23485f5bebfdd94ac45
SHA1 b055602516d07926b0bd13860887294482e2b24d
SHA256 e43a3c5a6279c3fe669b46fe4acd681c5f4c58afb06efe6a8aefffc9bc1ccf42
SHA512 984ff47aa9c00c4d13d53772f3c92c8b64e26fc2b8af5aca9df443eecf68dc238f29ad01d177c88458f8f2f5409522e59186d8205f4b8bec6926fcfec7f7f55d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cef374ab8fe4fe51d97d2615a88b076f
SHA1 eed2f61fe466be489411a713ba4c6944dc576ced
SHA256 1774d41c6d8f1ebb264433d11f66f3972243abed4f6f54e085cf5e6cbd498baa
SHA512 6b89f9a6688b530629312e084c1e5551c07139554440044c9df54b833b01cc9a020fba02c79dd0190a2cd65275fa37dfc86b077ce95821d22127503fff15b4f2

C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

MD5 d467222c3bd563cb72fa49302f80b079
SHA1 9335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256 fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512 484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 01:50

Reported

2024-03-25 01:53

Platform

win11-20240319-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 580 set thread context of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 580 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 580 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 580 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 5728 wrote to memory of 5724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5728 wrote to memory of 5724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5724 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5724 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 5724 wrote to memory of 5376 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5724 wrote to memory of 5376 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 580 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 580 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 580 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
PID 580 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe

"C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

Network

Country Destination Domain Proto
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.216:57893 193.233.132.216 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.216:57893 193.233.132.216 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp

Files

memory/236-0-0x00000000000C0000-0x000000000056B000-memory.dmp

memory/236-1-0x0000000077726000-0x0000000077728000-memory.dmp

memory/236-2-0x00000000000C0000-0x000000000056B000-memory.dmp

memory/236-4-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/236-3-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/236-6-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/236-7-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/236-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/236-8-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/236-9-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/236-14-0x00000000000C0000-0x000000000056B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 2bb882f05824de9a479e3b8351cdf58d
SHA1 153c24fd281341558e3c307a3c13fcf78a30071b
SHA256 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
SHA512 3742e1d6919e2f4c68f34bcebb43d189e7f28323a5a8fd4d081f12957fc319842c2592d191f99f4f28997ad566c67d7d4b75e42e657ce4ab4bca6ad89bc9001c

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 8f216f946becf1a5083d738f5af6c913
SHA1 0f6f77e898482476b850d613dbe8c2b98626315e
SHA256 f9d83a881ae8541c5be30b13b24dbfeb688df14a83680d5a4df2f1f242a2dc7a
SHA512 982a77b5ad1bcf02e88523dc080e9bf12960b0af4aff383b7e3717abe98601da01adafa32ede1729b99bc35721461915f34289c520b631b469da9a9195859914

memory/580-17-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-18-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-19-0x0000000004D20000-0x0000000004D21000-memory.dmp

memory/580-20-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/580-21-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/580-22-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/580-23-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/580-24-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/580-26-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/580-25-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/580-27-0x0000000000EA0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/580-40-0x0000000000EA0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0okmttqq.rqr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5376-46-0x000002088B990000-0x000002088B9B2000-memory.dmp

memory/5376-50-0x00007FFD0B9E0000-0x00007FFD0C4A2000-memory.dmp

memory/5376-51-0x00000208A3AF0000-0x00000208A3B00000-memory.dmp

memory/5376-52-0x00000208A3AF0000-0x00000208A3B00000-memory.dmp

memory/5376-53-0x00000208A3AF0000-0x00000208A3B00000-memory.dmp

memory/5376-54-0x00000208A3AC0000-0x00000208A3AD2000-memory.dmp

memory/5376-55-0x00000208A3AA0000-0x00000208A3AAA000-memory.dmp

memory/5376-61-0x00007FFD0B9E0000-0x00007FFD0C4A2000-memory.dmp

memory/580-62-0x0000000000EA0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/580-74-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-75-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-76-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-77-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-78-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-80-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-82-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-83-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/968-86-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-90-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/968-89-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-91-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-92-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-93-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-94-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-95-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-96-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-97-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-98-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-99-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-100-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-102-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-101-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-103-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-104-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-105-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-106-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-107-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-108-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-109-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-110-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-111-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-113-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-112-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-114-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-115-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-116-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-117-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-118-0x0000000000400000-0x000000000090F000-memory.dmp

memory/968-119-0x0000000000400000-0x000000000090F000-memory.dmp

memory/580-120-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-121-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/580-122-0x0000000000EA0000-0x000000000134B000-memory.dmp

memory/968-123-0x0000000000400000-0x000000000090F000-memory.dmp