amadey | 10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259

Analysis

max time kernel
94s
max time network
268s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
Size

1.8MB
MD5

0909caf4408598a9200cc2c49917c4f2
SHA1

b89c1c628ed933b0bc8cab81dabbf5fa7b31a05a
SHA256

10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259
SHA512

17c83bd88b6de4553b881965e5993aae4c9f6b07a2ed2a47f4e58a66b128c0b60f2244348926e3944b8e9c16c554bf8877a356ff7aee7c3d3f3b86a990481d1d
SSDEEP

49152:k3/bnBXIwlY4TZncU+8CcuaI10R7mv38PYhNs4:kjn5IIY4TZsv04v/z

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a5d6ec4479.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a5d6ec4479.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a5d6ec4479.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe

Executes dropped EXE 4 IoCs

pid	Process
2728	explorta.exe
1512	amert.exe
2220	2eb3e7f543.exe
2200	a5d6ec4479.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	a5d6ec4479.exe

Loads dropped DLL 6 IoCs

pid	Process
2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
2728	explorta.exe
2728	explorta.exe
2728	explorta.exe
2728	explorta.exe
2728	explorta.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\2eb3e7f543.exe = "C:\\Users\\Admin\\1000013002\\2eb3e7f543.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5d6ec4479.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\a5d6ec4479.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000001654a-94.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
2728	explorta.exe
1512	amert.exe
2200	a5d6ec4479.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\chrosha.job	amert.exe
File created	C:\Windows\Tasks\explorta.job	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
2728	explorta.exe
1512	amert.exe
560	chrome.exe
560	chrome.exe
2200	a5d6ec4479.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe
Token: SeShutdownPrivilege	560	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
1512	amert.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
560	chrome.exe
560	chrome.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
560	chrome.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe
2220	2eb3e7f543.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2728	2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe	28
PID 2260 wrote to memory of 2728	2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe	28
PID 2260 wrote to memory of 2728	2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe	28
PID 2260 wrote to memory of 2728	2260	10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe	28
PID 2728 wrote to memory of 2724	2728	explorta.exe	29
PID 2728 wrote to memory of 2724	2728	explorta.exe	29
PID 2728 wrote to memory of 2724	2728	explorta.exe	29
PID 2728 wrote to memory of 2724	2728	explorta.exe	29
PID 2728 wrote to memory of 1512	2728	explorta.exe	31
PID 2728 wrote to memory of 1512	2728	explorta.exe	31
PID 2728 wrote to memory of 1512	2728	explorta.exe	31
PID 2728 wrote to memory of 1512	2728	explorta.exe	31
PID 2728 wrote to memory of 2220	2728	explorta.exe	32
PID 2728 wrote to memory of 2220	2728	explorta.exe	32
PID 2728 wrote to memory of 2220	2728	explorta.exe	32
PID 2728 wrote to memory of 2220	2728	explorta.exe	32
PID 2220 wrote to memory of 560	2220	2eb3e7f543.exe	33
PID 2220 wrote to memory of 560	2220	2eb3e7f543.exe	33
PID 2220 wrote to memory of 560	2220	2eb3e7f543.exe	33
PID 2220 wrote to memory of 560	2220	2eb3e7f543.exe	33
PID 560 wrote to memory of 916	560	chrome.exe	34
PID 560 wrote to memory of 916	560	chrome.exe	34
PID 560 wrote to memory of 916	560	chrome.exe	34
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 692	560	chrome.exe	36
PID 560 wrote to memory of 1196	560	chrome.exe	37
PID 560 wrote to memory of 1196	560	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe
"C:\Users\Admin\AppData\Local\Temp\10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1512
- - C:\Users\Admin\1000013002\2eb3e7f543.exe
    "C:\Users\Admin\1000013002\2eb3e7f543.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7379758,0x7fef7379768,0x7fef7379778
        5⤵
        
        PID:916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:2
        5⤵
        
        PID:692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:8
        5⤵
        
        PID:1196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:8
        5⤵
        
        PID:1304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:1
        5⤵
        
        PID:3044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2108 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:1
        5⤵
        
        PID:1200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3292 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:1
        5⤵
        
        PID:2192
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1516 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:2
        5⤵
        
        PID:2508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2524 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:1
        5⤵
        
        PID:1264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2512 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:8
        5⤵
        
        PID:2652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=1348,i,4008074562888619930,2407622242653264638,131072 /prefetch:8
        5⤵
        
        PID:2520
- - C:\Users\Admin\AppData\Local\Temp\1000014001\a5d6ec4479.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\a5d6ec4479.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\2eb3e7f543.exe

Filesize
1.1MB

MD5
a70bf81674aa5e6f9b28c98831a695e6

SHA1
6f6ccd011f9a68740cc6a2fa0e92dc32907bc6f3

SHA256
c4fec87617a2a5cb4cf01017cd3aa3b23d9f593970e80f43fdcbaafdebe2b834

SHA512
7a675bf5ed7ad690bef58457cd5fee62d256734df74356896ea64949527c0b57745f526f9c8b803fd59412ffe7ac6c343cb74e2b6b01d34b6f69a51554722072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bfec7252d38f87627da8372dcbdfcd20

SHA1
b3f096a8c01673f7473b6fc107eee2c1274f9fbf

SHA256
797c57f74367db0b1d3b4dade5ffaf9f26eeb5c4cae4d4093057c31c4b276f2f

SHA512
b6a77a9f22b7038b98cc9abff13bc2afaef11483d6aae03025fd80911ef8729e173ef9b037e727216909de4bce6520894957e7c942d8d1cf80657bba417dfb8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c72ecece1921290499d9519580fba2e1

SHA1
3536aa109e49a8115f77ff629d14d1ad757318af

SHA256
48378173cdb4bc7731e7344371933c7ab9923a95ad4df3784d872328db20a651

SHA512
5a9760698b0c8cf5aa2b4dcdc71ef25c987d43dd4ada7096b326553bada7619c63d1d4d303e324f72e3888342ca9a1ac6eef59088772a81bab02e0288fbf6ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
521B

MD5
a97fe9b0c77978b4a44e905f7b5ab372

SHA1
912b5eb07722dd6c96936c80267f956c40f3d59b

SHA256
bc603b663417c12f4053d288b672d45af0f84b8ce67dfde2263a18a3ce35992e

SHA512
a10e80e75832c6976c65a1a09137dfcd0e7dd518d4c004ffe0774980c1454adf7d0f59b5a88ea5089043cef4eef2857972aac7ef38c6cefb5087e33747f8099b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8a70bc3eef3b3ac8be1c86e9903f642

SHA1
0fd7c40281f9cc768c8f2882b273ae328155458c

SHA256
3d68d82c64d11c41f5d39590380acda9d855007b002c468072da428a1a8bf4ef

SHA512
4c7b4df5a675b0353eba67e4d31f51afef5aa5c282fe5727c785b01a872ed7e9f0f58f1e98e3e3d4d2eb206cf73d823e76b7bcf255613d00ac67b66008b01318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cd5bc00cf92e2dfbf1f4f0512f1ebcde

SHA1
4c11225b31d77e31062afd5263eab9c8febd9097

SHA256
85448cc1ce88feb0b844326ecbf56fb8963c57734da6e6a993a7d06e4c613b3a

SHA512
4eaaf0ca2f5b7caa1542bb464e58bc6a01a751905663ff63b9cc2108930ad802a3518430cd29c9b7a7d95527564cea79d722e3184f1496c40412f992d5ccd0e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe

Filesize
1.8MB

MD5
78e87f051f07f1998e630e492b51cd76

SHA1
dab764fbab558ad2b59f58657bac366acb4b1fe4

SHA256
b9fdf54d1cabf91c8474f5caf17a5591b77d890ba8257f5baadbc5fb1c723dc3

SHA512
f6c195f90c0d4dadcf3541c0ab5c207a3c018a48c9c1a39618d5160eb3725cf4c6b036c0d1789cb91ecb9698e6de0d85c0414eb389a55cb32a3dd145af71ec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\a5d6ec4479.exe

Filesize
2.3MB

MD5
40fbf4a4064a99cc0aa06b47420e829d

SHA1
747fef5df07e02c184ce2bf196c84f481a1a4e2a

SHA256
38aa4b13ddef75872d2082797f47ba42cdf7769b6b2e73599f23dd3b89891f2a

SHA512
dd774cdc654ec99e5f7334ce80a95b53e943d0773ef4e0ff348900621644e00569e64867de688b53d85ab5df3426fa60c91108b88c99e892707bae05e54ba494

Download Submit
\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.8MB

MD5
0909caf4408598a9200cc2c49917c4f2

SHA1
b89c1c628ed933b0bc8cab81dabbf5fa7b31a05a

SHA256
10f66a33c61b7e8de2726d5925258e3dc412cd66aba74183e2d2b4912f2a7259

SHA512
17c83bd88b6de4553b881965e5993aae4c9f6b07a2ed2a47f4e58a66b128c0b60f2244348926e3944b8e9c16c554bf8877a356ff7aee7c3d3f3b86a990481d1d

Download Submit
memory/1512-78-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1512-65-0x00000000000F0000-0x00000000005AD000-memory.dmp

Filesize
4.7MB

Download
memory/1512-89-0x00000000000F0000-0x00000000005AD000-memory.dmp

Filesize
4.7MB

Download
memory/1512-83-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1512-88-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1512-82-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1512-81-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1512-67-0x00000000000F0000-0x00000000005AD000-memory.dmp

Filesize
4.7MB

Download
memory/1512-68-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1512-69-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1512-70-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1512-71-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1512-72-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1512-73-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1512-74-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1512-75-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1512-76-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1512-77-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1512-79-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2200-313-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-198-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2200-258-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-307-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-305-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-303-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-301-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-256-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-247-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-311-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-292-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-262-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-275-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-315-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-317-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-319-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-243-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-328-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-330-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-332-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-334-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-336-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-233-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-338-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-284-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-199-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2200-309-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-195-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-197-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2200-196-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2200-286-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-288-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2200-290-0x00000000010D0000-0x00000000016A3000-memory.dmp

Filesize
5.8MB

Download
memory/2260-27-0x0000000007180000-0x0000000007633000-memory.dmp

Filesize
4.7MB

Download
memory/2260-10-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2260-8-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2260-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2260-6-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2260-17-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2260-18-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2260-13-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2260-2-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2260-11-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2260-26-0x0000000000830000-0x0000000000CE3000-memory.dmp

Filesize
4.7MB

Download
memory/2260-9-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2260-3-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2260-15-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2260-5-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2260-12-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/2260-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2260-0-0x0000000000830000-0x0000000000CE3000-memory.dmp

Filesize
4.7MB

Download
memory/2728-43-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2728-261-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-257-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-255-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-263-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-246-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-238-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-283-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-228-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-285-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-194-0x0000000006750000-0x0000000006D23000-memory.dmp

Filesize
5.8MB

Download
memory/2728-287-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-193-0x0000000006750000-0x0000000006C0D000-memory.dmp

Filesize
4.7MB

Download
memory/2728-289-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-144-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-291-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-66-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-293-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-64-0x0000000006750000-0x0000000006C0D000-memory.dmp

Filesize
4.7MB

Download
memory/2728-49-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2728-302-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-50-0x0000000009C80000-0x000000000A133000-memory.dmp

Filesize
4.7MB

Download
memory/2728-304-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-45-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2728-306-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-44-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2728-308-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-38-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2728-310-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-39-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2728-312-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-40-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2728-314-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-41-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2728-316-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-33-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2728-318-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-34-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2728-37-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2728-327-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-35-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2728-329-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-36-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2728-331-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-31-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2728-333-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-32-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2728-335-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-30-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2728-337-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download
memory/2728-29-0x00000000003E0000-0x0000000000893000-memory.dmp

Filesize
4.7MB

Download