amadey | b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a

Analysis

max time kernel
112s
max time network
268s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Size

2.9MB
MD5

3c4127b40346e1bfcc2df12b027d120a
SHA1

0f9a40b9aa9035c09153a9a47135425ea1250bd4
SHA256

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a
SHA512

92d22cf914b9c5c8c5448bb5df97bec499d028d051ce3018f81181ac624a2311c29531d446d40a2ae846294c0b5aab8a3d956bcf7354dd1c30d201d83aa00209
SSDEEP

49152:dj7FAVCDcnMoUZtuDRTqVp9mN3W5B/bs7qLuL:d1AVCDcnMoUZtuDqkiB/CL

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe50d0b9eada.exeexplorha.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	50d0b9eada.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

29 2056 rundll32.exe
35 2516 rundll32.exe
Downloads MZ/PE file

flow	pid	process
29	2056	rundll32.exe
35	2516	rundll32.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe50d0b9eada.exeamert.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	50d0b9eada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	50d0b9eada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 5 IoCs

Processes:

explorha.exe1854307fae.exe50d0b9eada.exeexplorha.exeamert.exe

pid process

2748 explorha.exe
1796 1854307fae.exe
1556 50d0b9eada.exe
2252 explorha.exe
2844 amert.exe

pid	process
2748	explorha.exe
1796	1854307fae.exe
1556	50d0b9eada.exe
2252	explorha.exe
2844	amert.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeamert.exeb3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe50d0b9eada.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	50d0b9eada.exe

Loads dropped DLL 18 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exerundll32.exerundll32.exerundll32.exe

pid	process
3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
2748	explorha.exe
2748	explorha.exe
2748	explorha.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2748	explorha.exe
2748	explorha.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\1854307fae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\1854307fae.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\50d0b9eada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\50d0b9eada.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe50d0b9eada.exeamert.exeexplorha.exe

pid process

3068 b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
2748 explorha.exe
1556 50d0b9eada.exe
2844 amert.exe
2252 explorha.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 2748 set thread context of 2252 2748 explorha.exe explorha.exe

description	pid	process	target process
PID 2748 set thread context of 2252	2748	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exechrome.exe50d0b9eada.exerundll32.exepowershell.exeamert.exeexplorha.exe

pid	process
3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
2748	explorha.exe
2148	chrome.exe
2148	chrome.exe
1556	50d0b9eada.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2676	powershell.exe
2844	amert.exe
2252	explorha.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe
Token: SeShutdownPrivilege	2148	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe1854307fae.exechrome.exe

pid	process
3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
1796	1854307fae.exe
1796	1854307fae.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
2148	chrome.exe
2148	chrome.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

1854307fae.exechrome.exe

pid	process
1796	1854307fae.exe
1796	1854307fae.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
2148	chrome.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe
1796	1854307fae.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe1854307fae.exechrome.exe

description	pid	process	target process
PID 3068 wrote to memory of 2748	3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 3068 wrote to memory of 2748	3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 3068 wrote to memory of 2748	3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 3068 wrote to memory of 2748	3068	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 2748 wrote to memory of 1796	2748	explorha.exe	1854307fae.exe
PID 2748 wrote to memory of 1796	2748	explorha.exe	1854307fae.exe
PID 2748 wrote to memory of 1796	2748	explorha.exe	1854307fae.exe
PID 2748 wrote to memory of 1796	2748	explorha.exe	1854307fae.exe
PID 1796 wrote to memory of 2148	1796	1854307fae.exe	chrome.exe
PID 1796 wrote to memory of 2148	1796	1854307fae.exe	chrome.exe
PID 1796 wrote to memory of 2148	1796	1854307fae.exe	chrome.exe
PID 1796 wrote to memory of 2148	1796	1854307fae.exe	chrome.exe
PID 2148 wrote to memory of 1512	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 1512	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 1512	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2516	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 1876	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 1876	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 1876	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe
PID 2148 wrote to memory of 2756	2148	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
"C:\Users\Admin\AppData\Local\Temp\b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe
"C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73a9758,0x7fef73a9768,0x7fef73a9778
5⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:2
5⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:8
5⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:8
5⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2332 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:1
5⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:1
5⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:2
5⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2264 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:1
5⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2512 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:1
5⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3408 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:8
5⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1224,i,14858965567516074062,57905084960465955,131072 /prefetch:8
5⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\1000056001\50d0b9eada.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\50d0b9eada.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:668

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\721934792624_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8b39d543ed1b448df4a054cf507ccd21

SHA1
6450f830780e38e954c837730faff3905e0dbccf

SHA256
9181578eddc4dbe07623b2ed385ddb4b2c5e4bd5f8d0257f11535ca3916317c0

SHA512
1740d373dc2f01bcc90c8698ccdede26f95c3f8a94086908abfad091991f330319bce41e39ff2c39faec2c9ee36ac32ad0e694f6e4d43b293598de2aa12a2cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
4ca6d4a14f9c83cbdd26fe2c3ecaa15b

SHA1
1e3ada9cacec3dde5fd11d343c45a37f66eeb859

SHA256
78f0e425fe83ef9a41e00443936a0706d4d5a6eb0ef79b0bfe201d0c6ba001da

SHA512
532c8fb30ece8d4ffe349fcc0adea08d1f3f401808498caa575aaaa94f9b5082c7be49bb6d09f1e95d094019c6c1d1779a610f28796d2e3c816f7fc0e36f0a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f275a8129374bc03aac5ba8a2fa3edcb

SHA1
0406bccf6d0568eeceea3c44869673acba8616da

SHA256
fbea3b61125e993025b716874d074e52b88a4cab4b4853e3fe263fdf1059288f

SHA512
104b34c119c1838daa5840b21740df3cede5232339a8ae613b2f0d2b5655e327de9b8d4db0fad9b8c35c2e8f0656ce98bf18c3729f5d6a544f75e12fbb6e4992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
525B

MD5
ba6bbf7f04743e0c49c0b6c8cb6b5186

SHA1
b886edb35d36e426946a30e53044e2949a85db8a

SHA256
bdf4593bc417143f6252e0355375da0b1b8cfece74fa84904f414183ef103c53

SHA512
4bf3f57dc6ce2837c2d36d9ad4f478593b1f7291144586590faedf3116fb637667a55f612e70a95d6813014da95436c4fd616c87f42e641f7968a4aa16a4713e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
525B

MD5
407810719016af240345a3e18d1349b4

SHA1
02885546f4d98512c30eff5db98580675d276fd2

SHA256
99d01f74413d7a675d72c489f2b715eab178a676de478747e50b9da3e5f53783

SHA512
6d43f07e6eb3f519030cb888d54e204cc9af4d33ec5f2e88c0dbc6563cb0038e27c6ad2ac97164e74bfff12223c0ddca37e5bd9ac9e26b4d6819e8a0770f2ae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a80a173bb7664cfb644d15e7cb1318f0

SHA1
a6e942c547364938ac84714b7325051fd3212aad

SHA256
2b97de7c0c5f035b22108d39d449056c725db1b10059bfb962fc1fb09629701d

SHA512
c7c6516ffcde20ac883acb5c3e8f7450bb33649799238a9fc7242d175b7abb2a5b74d76f03b61d64de59815e0a84cde107f328309f88fb56584480ee2add16aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6df517383941809e94f914747e340afc

SHA1
1cd09db79c135b259fde1a0c2c083fbbf9fccffb

SHA256
8db2d61108b8ce3903c12fe9124969c9d7507ee855454af8506c89c73a3a5a10

SHA512
da10410ea2e0ed9b58f757739adfdd9a310ae61a72fb7daaf476823ca26853511f701b3bddc17c6fe224c97073e1d419b640cbeb59e3435ba371e279df208ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe
Filesize
1.1MB

MD5
09120962fea94b32a79b8090513783a7

SHA1
679c68326a9aee2d95d36b90dd192fc808651cc0

SHA256
b9c8b39afb1f568ad99abb273693af4aa053c3ff36c785a08007b26018d70818

SHA512
0b5bb68cd7c784918ea04ded213ac3dc67ecdf2650aba96fc08ceaba2010e694a3d9132e0cfd503acb5c0e93ba42209f4e1d0d7e64c5f2e537c6eba63c5c05f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\50d0b9eada.exe
Filesize
2.3MB

MD5
69eea6da5a972f99322787e2e1ddcee6

SHA1
8e8e9a999e06b2def82dae7437bc05a23db8fe94

SHA256
7cac339733c031b7c81290794a2e56f1894ff81d7db3f920d43e9da76ffb042b

SHA512
f41e06a426bff8f0756916546533f80af5b439fc13bd711411ed21715fd7d0cdaf2708c1bc55f20c962cd8919bd829588c672cb955b3191b7aef2a2c2d7c3123

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
Filesize
1.9MB

MD5
42ad64483405b6ce53c4966870c902ec

SHA1
c21642320252e799c8fdb2b88acf177254dccacf

SHA256
e5fb190cb34afa45533f59258b8415cd2788042a5e7b83b2c1560c0189b3a521

SHA512
62624070f30d2095ff53c0dee499c77f00e45c1c251a64cf18f7b885742ea0c5a0f4b931a01ecdbb10303be4763f6e7eb7d315ce13e2b8947df2d7ccbc0c2db0

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\crashpad_2148_NSORSOJMXZMUUOHP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
2.9MB

MD5
3c4127b40346e1bfcc2df12b027d120a

SHA1
0f9a40b9aa9035c09153a9a47135425ea1250bd4

SHA256
b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a

SHA512
92d22cf914b9c5c8c5448bb5df97bec499d028d051ce3018f81181ac624a2311c29531d446d40a2ae846294c0b5aab8a3d956bcf7354dd1c30d201d83aa00209

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
memory/1556-361-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-163-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1556-342-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-347-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-170-0x0000000002D50000-0x0000000002D52000-memory.dmp

Filesize
8KB

Download
memory/1556-169-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/1556-168-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1556-167-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1556-166-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1556-165-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1556-164-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1556-280-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-162-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1556-161-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1556-160-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1556-157-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1556-159-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1556-158-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1556-156-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1556-154-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-359-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-365-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-385-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/1556-387-0x0000000001070000-0x0000000001635000-memory.dmp

Filesize
5.8MB

Download
memory/2252-274-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-254-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-318-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-285-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-312-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-287-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-310-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-305-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-308-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-307-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-298-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-283-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-281-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-275-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-273-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-270-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-272-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-268-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-260-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-266-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-259-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-257-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-255-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-253-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-196-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-245-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-198-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-199-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-201-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-203-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-243-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-206-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-214-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-215-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-242-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-241-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-239-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-220-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2252-227-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2676-226-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/2676-228-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/2676-221-0x000007FEF2E30000-0x000007FEF37CD000-memory.dmp

Filesize
9.6MB

Download
memory/2676-219-0x0000000001FB0000-0x0000000002030000-memory.dmp

Filesize
512KB

Download
memory/2676-218-0x000007FEF2E30000-0x000007FEF37CD000-memory.dmp

Filesize
9.6MB

Download
memory/2676-216-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2676-213-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2748-44-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/2748-45-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2748-386-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-384-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-46-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2748-30-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-364-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-31-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-32-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2748-33-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2748-34-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2748-271-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-36-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2748-38-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2748-37-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2748-360-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-35-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/2748-39-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2748-40-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2748-41-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2748-358-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-43-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2748-346-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-155-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-153-0x0000000006C50000-0x0000000007215000-memory.dmp

Filesize
5.8MB

Download
memory/2748-197-0x0000000006630000-0x0000000006955000-memory.dmp

Filesize
3.1MB

Download
memory/2748-152-0x0000000006C50000-0x0000000007215000-memory.dmp

Filesize
5.8MB

Download
memory/2748-151-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-341-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2748-150-0x0000000001340000-0x0000000001665000-memory.dmp

Filesize
3.1MB

Download
memory/2844-320-0x0000000000C80000-0x000000000115A000-memory.dmp

Filesize
4.9MB

Download
memory/3068-27-0x00000000009E0000-0x0000000000D05000-memory.dmp

Filesize
3.1MB

Download
memory/3068-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3068-14-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3068-9-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x00000000009E0000-0x0000000000D05000-memory.dmp

Filesize
3.1MB

Download
memory/3068-7-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3068-15-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3068-19-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3068-28-0x0000000006B50000-0x0000000006E75000-memory.dmp

Filesize
3.1MB

Download
memory/3068-10-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3068-12-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3068-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x00000000009E0000-0x0000000000D05000-memory.dmp

Filesize
3.1MB

Download
memory/3068-1-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download