amadey | f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
Size

1.8MB
MD5

169d873778a229bcb4f010f87930cb28
SHA1

15d928181a3abe9fc84d21454246676baad444a8
SHA256

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
SHA512

42630f7e98502c97806a4f241598dba61298d1874bffc7baf1bea34c3950861a182daf6798f4834b4d2865238569379a3bfa796dee953224fc29e712831170c4
SSDEEP

49152:13/bnTrRlJqN+zVjKQVO3LNjmd6P0uqVs:1jnTrrJqY5ORjSieG

Score

10^/10

amadey risepro evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exe42385fb1a1.exeexplorta.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	42385fb1a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42385fb1a1.exeexplorta.exeamert.exeexplorta.exef2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	42385fb1a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	42385fb1a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Executes dropped EXE 5 IoCs

Processes:

explorta.exe42385fb1a1.exeexplorta.exeamert.exee1a2fa8ab6.exe

pid process

2744 explorta.exe
1288 42385fb1a1.exe
1676 explorta.exe
652 amert.exe
2600 e1a2fa8ab6.exe

pid	process
2744	explorta.exe
1288	42385fb1a1.exe
1676	explorta.exe
652	amert.exe
2600	e1a2fa8ab6.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

42385fb1a1.exeexplorta.exeamert.exef2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	42385fb1a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	explorta.exe

Loads dropped DLL 6 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exe

pid	process
1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
2744	explorta.exe
2744	explorta.exe
2744	explorta.exe
2744	explorta.exe
2744	explorta.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\42385fb1a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000009001\\42385fb1a1.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1a2fa8ab6.exe = "C:\\Users\\Admin\\1000013002\\e1a2fa8ab6.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\e1a2fa8ab6.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exe42385fb1a1.exeexplorta.exeamert.exe

pid process

1276 f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
2744 explorta.exe
1288 42385fb1a1.exe
1676 explorta.exe
652 amert.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

explorta.exe

description pid process target process

PID 2744 set thread context of 1676 2744 explorta.exe explorta.exe

description	pid	process	target process
PID 2744 set thread context of 1676	2744	explorta.exe	explorta.exe

Drops file in Windows directory 2 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exe42385fb1a1.exeexplorta.exeamert.exechrome.exe

pid	process
1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
2744	explorta.exe
1288	42385fb1a1.exe
1676	explorta.exe
652	amert.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe
Token: SeShutdownPrivilege	2604	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeamert.exee1a2fa8ab6.exechrome.exe

pid	process
1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
652	amert.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2604	chrome.exe
2604	chrome.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

e1a2fa8ab6.exechrome.exe

pid	process
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe
2600	e1a2fa8ab6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exeexplorta.exee1a2fa8ab6.exechrome.exe

description	pid	process	target process
PID 1276 wrote to memory of 2744	1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe	explorta.exe
PID 1276 wrote to memory of 2744	1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe	explorta.exe
PID 1276 wrote to memory of 2744	1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe	explorta.exe
PID 1276 wrote to memory of 2744	1276	f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe	explorta.exe
PID 2744 wrote to memory of 1288	2744	explorta.exe	42385fb1a1.exe
PID 2744 wrote to memory of 1288	2744	explorta.exe	42385fb1a1.exe
PID 2744 wrote to memory of 1288	2744	explorta.exe	42385fb1a1.exe
PID 2744 wrote to memory of 1288	2744	explorta.exe	42385fb1a1.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 1676	2744	explorta.exe	explorta.exe
PID 2744 wrote to memory of 652	2744	explorta.exe	amert.exe
PID 2744 wrote to memory of 652	2744	explorta.exe	amert.exe
PID 2744 wrote to memory of 652	2744	explorta.exe	amert.exe
PID 2744 wrote to memory of 652	2744	explorta.exe	amert.exe
PID 2744 wrote to memory of 2600	2744	explorta.exe	e1a2fa8ab6.exe
PID 2744 wrote to memory of 2600	2744	explorta.exe	e1a2fa8ab6.exe
PID 2744 wrote to memory of 2600	2744	explorta.exe	e1a2fa8ab6.exe
PID 2744 wrote to memory of 2600	2744	explorta.exe	e1a2fa8ab6.exe
PID 2600 wrote to memory of 2604	2600	e1a2fa8ab6.exe	chrome.exe
PID 2600 wrote to memory of 2604	2600	e1a2fa8ab6.exe	chrome.exe
PID 2600 wrote to memory of 2604	2600	e1a2fa8ab6.exe	chrome.exe
PID 2600 wrote to memory of 2604	2600	e1a2fa8ab6.exe	chrome.exe
PID 2604 wrote to memory of 2580	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2580	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2580	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe
PID 2604 wrote to memory of 2908	2604	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
"C:\Users\Admin\AppData\Local\Temp\f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\1000009001\42385fb1a1.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\42385fb1a1.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:652

C:\Users\Admin\1000013002\e1a2fa8ab6.exe
"C:\Users\Admin\1000013002\e1a2fa8ab6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67b9758,0x7fef67b9768,0x7fef67b9778
5⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:2
5⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:8
5⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:8
5⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:1
5⤵
PID:284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:1
5⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1152 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:2
5⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1492 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:1
5⤵
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2492 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:1
5⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3460 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:8
5⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1140,i,17170301350758979954,9580318604500195249,131072 /prefetch:8
5⤵
PID:1732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\e1a2fa8ab6.exe
Filesize
1.1MB

MD5
41a62c2991354b73207e66303cf63e17

SHA1
27f26d0e8259f796b484e52047d5a339e23ff3fe

SHA256
676c792c38093bebfecf3455fc6a0a9993e2953f3cd5405520c15ab48a4fd7c6

SHA512
551277ee9467e8736323771be70ef00b28dd9686d8165dfc689b34eee57513b3b6dd4f9ac78e057214e4ab7f42c93822ea78b6c2f115c07956d254b0206e7857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
527B

MD5
b65639d53f1d5752bb097076558da976

SHA1
3af9bc3dcc456fe5a9aa9cb4281d5958cfb3ee93

SHA256
9e3c605b7c14759ed3b03fec9a822de1b95c40acf4f8784008f637d8fc3ef3cf

SHA512
c6382b4d8ffca57e4dae6cf9df73046a7a866f127071f187d680f3456902ee2c65c7db005af1c5856de922aa00fa90b0529e7302d1b6d534bb4737a714f4a406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
990706c68420c780eff833b509557100

SHA1
eb9a9920f569d9b766bb5698dcbabab8b34fd6c2

SHA256
12e1a2a6e6b9ec9d8153418c5cd5c66fe4251938ba316d3d4d6d65bacf641dc6

SHA512
30f50ba56e89a5e62e8accea79d51b925da63082623812624e96182d71c66408a34d56b56f3e8323d6d4983e2a4ce3aab736bdd8575adbde11a778f0dc213c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
47d62527d6ab83eead156b54ad9af971

SHA1
3a94da42c3577294ff0df12ef844406a088d26ea

SHA256
514f7a5f6fe49159911b892b4f0cbf3e57aaecf7273f145e9432b2fbfce9d4ad

SHA512
1d36b6ca36380ce3f5adb103e7b6dbd3d3d0613d8c8ca5011262d8a15a7b8b2f720318ec48177e34c937047e9d813e566854370aae2ab7c7aa8d48e99f29c919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\42385fb1a1.exe
Filesize
2.3MB

MD5
d03215bedf861204777e1bbfcd4d0d90

SHA1
b429ef5ef909e54fe0d08cc66c0e70eeddeb18ea

SHA256
1c330c99687ac4f9a84eefa4110a439bc89575f9bf8fbbfd4e1b7e8845e00797

SHA512
b84e7d6746b5fc2bbc569fcf838164a090560eef1dd66dbca2a5040dbc7ae826d3150e103f1c342282327e4b2729583dd801550e6446c0680269e90c6f6a6c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
Filesize
1.9MB

MD5
494e5a74b19aadb6bb9704071051c12c

SHA1
baf176ee78803704ddc98319d2ffd8f46c288b46

SHA256
7458c3fdd1d2b52f8c61606bac915f700b8a54aa98f9e245f4f6008b0ca79498

SHA512
4826a55342ec35c501a9617d7f91d3f8b405f98e42716cb5bca2fdfa1b860e7f5e849a57d2a5bf51d6b6d635cd1cc2a1f2d4e0778bd895fa932606abd56eff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Filesize
1.8MB

MD5
169d873778a229bcb4f010f87930cb28

SHA1
15d928181a3abe9fc84d21454246676baad444a8

SHA256
f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449

SHA512
42630f7e98502c97806a4f241598dba61298d1874bffc7baf1bea34c3950861a182daf6798f4834b4d2865238569379a3bfa796dee953224fc29e712831170c4

Download Submit
\??\pipe\crashpad_2604_GPYDMOEDEQEIIIOL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/652-189-0x0000000000800000-0x0000000000CDD000-memory.dmp

Filesize
4.9MB

Download
memory/1276-15-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1276-11-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1276-0-0x00000000012B0000-0x0000000001772000-memory.dmp

Filesize
4.8MB

Download
memory/1276-16-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1276-17-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1276-12-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1276-27-0x00000000070C0000-0x0000000007582000-memory.dmp

Filesize
4.8MB

Download
memory/1276-26-0x00000000012B0000-0x0000000001772000-memory.dmp

Filesize
4.8MB

Download
memory/1276-2-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1276-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1276-1-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/1276-4-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1276-10-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1276-9-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1276-13-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1276-8-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1276-5-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1276-6-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1276-7-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1288-76-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1288-316-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-243-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-314-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-75-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1288-325-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-152-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-74-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1288-150-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-69-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1288-72-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1288-77-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download
memory/1288-308-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-290-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-62-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-73-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1288-71-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1288-70-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1288-68-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1288-67-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1288-66-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1288-65-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1288-64-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1288-133-0x0000000000C00000-0x00000000011E1000-memory.dmp

Filesize
5.9MB

Download
memory/1288-79-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

Filesize
8KB

Download
memory/1676-129-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-131-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-87-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-88-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-90-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-89-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-92-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-93-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-96-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-99-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-134-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-101-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/1676-102-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-103-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-104-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-105-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-106-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-107-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-108-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-109-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-110-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-111-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-112-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-113-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-114-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-115-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-116-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-117-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-118-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-120-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-119-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-121-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-122-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-123-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-124-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-125-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-126-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-127-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-135-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1676-85-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-130-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-132-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-83-0x0000000000400000-0x00000000009D5000-memory.dmp

Filesize
5.8MB

Download
memory/1676-140-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1676-139-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1676-138-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/1676-137-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1676-136-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2744-279-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-151-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-128-0x0000000006E60000-0x0000000007441000-memory.dmp

Filesize
5.9MB

Download
memory/2744-63-0x0000000006E60000-0x0000000007441000-memory.dmp

Filesize
5.9MB

Download
memory/2744-35-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2744-61-0x0000000006E60000-0x0000000007441000-memory.dmp

Filesize
5.9MB

Download
memory/2744-44-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2744-43-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2744-191-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-42-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2744-41-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2744-36-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2744-33-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2744-34-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2744-78-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-100-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-32-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2744-305-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-37-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2744-309-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-38-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2744-315-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-39-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2744-31-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2744-324-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-29-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2744-326-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download
memory/2744-30-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2744-28-0x0000000000E60000-0x0000000001322000-memory.dmp

Filesize
4.8MB

Download