amadey | 39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96

Resubmissions

19-04-2024 01:20

240419-bp7d1ade6x 10

18-04-2024 22:31

240418-2fpqpshf91 10

Analysis

max time kernel
87s
max time network
306s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
Size

2.9MB
MD5

991ad8f508243cc6706d30d800cd5016
SHA1

8bde1d4bb724e947826ff19c90e5685f31eb5fef
SHA256

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96
SHA512

e76ddd0777a17fd1d28f860301602f03b729beb067adcfded6503ee9a4f3898dc064caf3c8b80e0e803be67685667005d2a9816e1eaf40ac25584a711f5ac3a5
SSDEEP

24576:bpGE2viqfRCgCfZIXcsUbODj6tmIvZaJaTtkCqwMrcUVnF+cD4I6cG8f1WWCwFGp:TQiwCDZkpNIRdc/l4I6IWFwFI/+Wdh

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exeamert.exe8928082c73.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8928082c73.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

33 2808 rundll32.exe
38 2176 rundll32.exe
Downloads MZ/PE file

flow	pid	process
33	2808	rundll32.exe
38	2176	rundll32.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amert.exeexplorha.exe39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exe8928082c73.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8928082c73.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8928082c73.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 5 IoCs

Processes:

explorha.exeamert.exe2c2fa65e23.exe8928082c73.exeexplorha.exe

pid process

2600 explorha.exe
2788 amert.exe
2808 2c2fa65e23.exe
1040 8928082c73.exe
2860 explorha.exe

pid	process
2600	explorha.exe
2788	amert.exe
2808	2c2fa65e23.exe
1040	8928082c73.exe
2860	explorha.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exeamert.exe8928082c73.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	8928082c73.exe
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine	explorha.exe

Loads dropped DLL 19 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exerundll32.exerundll32.exerundll32.exe

pid	process
1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
2600	explorha.exe
2600	explorha.exe
2600	explorha.exe
2600	explorha.exe
2600	explorha.exe
2808	rundll32.exe
2808	rundll32.exe
2808	rundll32.exe
2808	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c2fa65e23.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\2c2fa65e23.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\8928082c73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\8928082c73.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\2c2fa65e23.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exeamert.exe8928082c73.exeexplorha.exe

pid process

1468 39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
2600 explorha.exe
2788 amert.exe
1040 8928082c73.exe
2860 explorha.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 2600 set thread context of 2860 2600 explorha.exe explorha.exe

description	pid	process	target process
PID 2600 set thread context of 2860	2600	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exeamert.exe8928082c73.exechrome.exeexplorha.exerundll32.exepowershell.exe

pid	process
1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
2600	explorha.exe
2788	amert.exe
1040	8928082c73.exe
2108	chrome.exe
2108	chrome.exe
2860	explorha.exe
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
1268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeamert.exe2c2fa65e23.exechrome.exe

pid	process
1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
2788	amert.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

2c2fa65e23.exechrome.exe

pid	process
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2808	2c2fa65e23.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exeexplorha.exe2c2fa65e23.exechrome.exe

description	pid	process	target process
PID 1468 wrote to memory of 2600	1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe	explorha.exe
PID 1468 wrote to memory of 2600	1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe	explorha.exe
PID 1468 wrote to memory of 2600	1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe	explorha.exe
PID 1468 wrote to memory of 2600	1468	39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe	explorha.exe
PID 2600 wrote to memory of 2788	2600	explorha.exe	amert.exe
PID 2600 wrote to memory of 2788	2600	explorha.exe	amert.exe
PID 2600 wrote to memory of 2788	2600	explorha.exe	amert.exe
PID 2600 wrote to memory of 2788	2600	explorha.exe	amert.exe
PID 2600 wrote to memory of 2808	2600	explorha.exe	2c2fa65e23.exe
PID 2600 wrote to memory of 2808	2600	explorha.exe	2c2fa65e23.exe
PID 2600 wrote to memory of 2808	2600	explorha.exe	2c2fa65e23.exe
PID 2600 wrote to memory of 2808	2600	explorha.exe	2c2fa65e23.exe
PID 2808 wrote to memory of 2108	2808	2c2fa65e23.exe	chrome.exe
PID 2808 wrote to memory of 2108	2808	2c2fa65e23.exe	chrome.exe
PID 2808 wrote to memory of 2108	2808	2c2fa65e23.exe	chrome.exe
PID 2808 wrote to memory of 2108	2808	2c2fa65e23.exe	chrome.exe
PID 2108 wrote to memory of 2112	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 2112	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 2112	2108	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1040	2600	explorha.exe	8928082c73.exe
PID 2600 wrote to memory of 1040	2600	explorha.exe	8928082c73.exe
PID 2600 wrote to memory of 1040	2600	explorha.exe	8928082c73.exe
PID 2600 wrote to memory of 1040	2600	explorha.exe	8928082c73.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1632	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1708	2108	chrome.exe	chrome.exe
PID 2108 wrote to memory of 1708	2108	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe
"C:\Users\Admin\AppData\Local\Temp\39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\1000055001\2c2fa65e23.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\2c2fa65e23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7429758,0x7fef7429768,0x7fef7429778
        5⤵
        
        PID:2112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:2
        5⤵
        
        PID:1632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:8
        5⤵
        
        PID:1708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:8
        5⤵
        
        PID:1364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2084 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:1
        5⤵
        
        PID:2532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:1
        5⤵
        
        PID:2848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2988 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:1
        5⤵
        
        PID:744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1912 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:2
        5⤵
        
        PID:2644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 --field-trial-handle=1268,i,738557061128668116,11772546424431696343,131072 /prefetch:8
        5⤵
        
        PID:2076
- - C:\Users\Admin\AppData\Local\Temp\1000056001\8928082c73.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\8928082c73.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1768
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2176
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\461186416230_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\50085aaa-e7b1-4d8a-aa02-e6c2b1178993.tmp

Filesize
5KB

MD5
f4208cd088324a0753615a0674c6b703

SHA1
ffe6948574477078fd2fb674387246e88359695b

SHA256
dfcf1e1ae3f0858c0a66255e5d0a1b9f128d2bcd4564d44d14cef1f230e7a14c

SHA512
90aeeec626a8e5fd6715ff412301e55211e39b70ce9113cb16ce160b4e57bc54c6481a0b80ca359b1117cfc5f645ba765abe57e649e91ed410893034608cea0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
377eed09d3ea1fdd3f9d18a5668c9622

SHA1
aec7679a8b615d454792ad07f747d287fa6df1e4

SHA256
3e798d9b4289a0bb10739526e446580719edd2826ae171ce1803711d4d9deb95

SHA512
2afc921b57dcfde8bc435bc0802eb8f8fbf7eeb4580026c0048091299fa6c7443cf24e6290799b1c3041e76ff2028e13e299defe6390d90f8a242758e0b84f9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0c897eb4af2da87a2116c66497331836

SHA1
2e7233c7e69d382feec21a1bcee5c51363600a99

SHA256
da91373f334fe799f0c7651ef9b9a4438e3ba55262a4e8fa2aa04c91bbfd7b20

SHA512
3e67f4cf84b8f86e6033fe72b790409da8b65d9bcf5616048500dc150e3075f6050a322c067b28d34d6232ad78182d9ffe19d644999de1e04964f6afa25a5f37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fa22feee600690a03a9b96f48e8048b9

SHA1
43ea8976da90c301c03566b2702c5033e4a5f5e1

SHA256
97da1e7d6afa703e229e3211dd48c71e1b5e40c4d70eb507eadf6656c29285cb

SHA512
19c3047ff0285307b81dcc31fb19ac3204a38746dc06e782be973e75e6ba6ac45d7c04a80fe99e3431f2e368bd0d1343c23fc1e87f40a8688b10046a42400618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
4dc8326a7b55e526b0f9752455d6fcd4

SHA1
35e2c784f9876d3adfc8ee93ac92c69f0c804aee

SHA256
89a0ecfbed0ae3bf1edbd44603629aae7e5838829f4cd62852babc886a1872a3

SHA512
cc4440e7c2ba259a7eabe5f7106ef8d91a198dbd92aa0e8ec3896e8cd8f64d10472b3062974543ee60abb8a509f6170a3edcaf1b929f427ab7d256dcfb26f107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe

Filesize
1.8MB

MD5
1ed78f44a2cad6e08da27edbc701b4bc

SHA1
e7a8bc103762db81429b13497c065ac16cac4b85

SHA256
20bd5a075cfee256a6cc19803fb9964834590840ada1212f7eca0a9d990e8359

SHA512
3882675eadbc45a7b534c0efc671551926bbc333275e03e8a4b23fdfc958af231094b65855fceccf6ec7c63ead1ad1a21bf3853e95eb05adca093a7820c22244

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\2c2fa65e23.exe

Filesize
1.1MB

MD5
76c779d2a6e42c6dbcff43e67bb38ca3

SHA1
558f8e6b714efaeaba794e7d2b7821936a4da077

SHA256
e820be731929c621a94de7bd83e0da4796c103632961bda20ffbd568279e6f43

SHA512
516d91d0e635f3468d135bf51f507fe3d81c1fb72c8baccc08a0e7c05c6dcaefd2816ca937cb2f8ca0ab8f4c8e78a2917b22dc10c289221e8450cfba34bebf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\8928082c73.exe

Filesize
2.2MB

MD5
3709ad0a7007bcae942b905a07bd6bba

SHA1
9d25192c841f3b2fb1b9bbb0dfdcec6cdaaca3a7

SHA256
2248caa741ec4d757c597091f2bab56f694181ef5a677bdab47d990e4c7f695a

SHA512
d41cbc49ded02909e0eae68da22988c36993bde9db4025f64d45007d2c47ed07a7cdc1a2b28ae1cb7ecb8d4c5169cb4084650adaddb656caf33b4e0ad85239fc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\crashpad_2108_PFWVZIDSJCIJZJGV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
2.9MB

MD5
991ad8f508243cc6706d30d800cd5016

SHA1
8bde1d4bb724e947826ff19c90e5685f31eb5fef

SHA256
39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96

SHA512
e76ddd0777a17fd1d28f860301602f03b729beb067adcfded6503ee9a4f3898dc064caf3c8b80e0e803be67685667005d2a9816e1eaf40ac25584a711f5ac3a5

Download Submit
memory/1040-337-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-389-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-126-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-350-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-364-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-372-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-374-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1040-387-0x00000000011A0000-0x0000000001732000-memory.dmp

Filesize
5.6MB

Download
memory/1468-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1468-10-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1468-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1468-30-0x0000000000F40000-0x0000000001258000-memory.dmp

Filesize
3.1MB

Download
memory/1468-29-0x0000000006430000-0x0000000006748000-memory.dmp

Filesize
3.1MB

Download
memory/1468-16-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1468-14-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1468-8-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1468-9-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1468-12-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1468-11-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1468-7-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1468-0-0x0000000000F40000-0x0000000001258000-memory.dmp

Filesize
3.1MB

Download
memory/1468-6-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1468-3-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1468-4-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/1468-2-0x0000000000F40000-0x0000000001258000-memory.dmp

Filesize
3.1MB

Download
memory/1468-17-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1468-1-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2600-46-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2600-37-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2600-254-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-40-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2600-331-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-42-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2600-41-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2600-349-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-39-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2600-355-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-38-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2600-201-0x0000000006630000-0x0000000006BC2000-memory.dmp

Filesize
5.6MB

Download
memory/2600-36-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2600-369-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-43-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2600-373-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-35-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2600-91-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-386-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-97-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-45-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2600-34-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2600-164-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-122-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-124-0x0000000006630000-0x0000000006BC2000-memory.dmp

Filesize
5.6MB

Download
memory/2600-125-0x0000000006630000-0x0000000006BC2000-memory.dmp

Filesize
5.6MB

Download
memory/2600-63-0x0000000006630000-0x0000000006AFE000-memory.dmp

Filesize
4.8MB

Download
memory/2600-127-0x0000000006630000-0x0000000006AFE000-memory.dmp

Filesize
4.8MB

Download
memory/2600-49-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2600-48-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2600-147-0x00000000062C0000-0x00000000065D8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-31-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-32-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-47-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2600-390-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2600-33-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2600-388-0x00000000010A0000-0x00000000013B8000-memory.dmp

Filesize
3.1MB

Download
memory/2788-67-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2788-70-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2788-99-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2788-92-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2788-90-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2788-89-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2788-88-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2788-64-0x0000000001250000-0x000000000171E000-memory.dmp

Filesize
4.8MB

Download
memory/2788-69-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2788-103-0x0000000001250000-0x000000000171E000-memory.dmp

Filesize
4.8MB

Download
memory/2788-74-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2788-76-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2788-65-0x0000000001250000-0x000000000171E000-memory.dmp

Filesize
4.8MB

Download
memory/2788-73-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2788-72-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2788-71-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2788-66-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2788-84-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2788-68-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2788-85-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2860-205-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-243-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-244-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-245-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-246-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-247-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-248-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-249-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-250-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-251-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-252-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-253-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-242-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-268-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-269-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-270-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-271-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-273-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-241-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-240-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-239-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-238-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-224-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-222-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-219-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-210-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-199-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-198-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-193-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-190-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-187-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-168-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-163-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-162-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-160-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-150-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download
memory/2860-146-0x0000000000400000-0x000000000097A000-memory.dmp

Filesize
5.5MB

Download