amadey | 167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76

Analysis

max time kernel
135s
max time network
267s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
Size

1.8MB
MD5

2219c3ce108405ddb8cf2ddae48414f0
SHA1

3f96d7d308840f817a61489aca818c94d010d51a
SHA256

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76
SHA512

b34c335ddc297d2432754e6f553e643591963ebac0f8515a73f87209dacd95ee592b0a46110617e5fdfc4136fa347042c07f3c730824bbac4c64de5d1f245c54
SSDEEP

49152:L3/bnNVkYk9FHRllmizxmFrYrZK8P19xY9ejszuth40:Ljn8Yk9FHRHwVMA8bHjsKHV

Score

10^/10

amadey risepro evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorta.exeexplorta.exeamert.exefc86228073.exe167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fc86228073.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exeexplorta.exefc86228073.exeamert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fc86228073.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fc86228073.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Executes dropped EXE 5 IoCs

Processes:

explorta.exeexplorta.exeamert.exe4b2946096f.exefc86228073.exe

pid process

2696 explorta.exe
2316 explorta.exe
692 amert.exe
1792 4b2946096f.exe
1416 fc86228073.exe

pid	process
2696	explorta.exe
2316	explorta.exe
692	amert.exe
1792	4b2946096f.exe
1416	fc86228073.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exeexplorta.exeamert.exefc86228073.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	fc86228073.exe

Loads dropped DLL 6 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exe

pid	process
2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
2696	explorta.exe
2696	explorta.exe
2696	explorta.exe
2696	explorta.exe
2696	explorta.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b2946096f.exe = "C:\\Users\\Admin\\1000013002\\4b2946096f.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fc86228073.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\fc86228073.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\4b2946096f.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exeexplorta.exeamert.exefc86228073.exe

pid process

2208 167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
2696 explorta.exe
2316 explorta.exe
692 amert.exe
1416 fc86228073.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

explorta.exe

description pid process target process

PID 2696 set thread context of 2316 2696 explorta.exe explorta.exe

description	pid	process	target process
PID 2696 set thread context of 2316	2696	explorta.exe	explorta.exe

Drops file in Windows directory 2 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exeexplorta.exeamert.exechrome.exefc86228073.exe

pid	process
2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
2696	explorta.exe
2316	explorta.exe
692	amert.exe
1652	chrome.exe
1652	chrome.exe
1416	fc86228073.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeamert.exe4b2946096f.exechrome.exe

pid	process
2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
692	amert.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1652	chrome.exe
1652	chrome.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

4b2946096f.exechrome.exe

pid	process
1792	4b2946096f.exe
1792	4b2946096f.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe
1792	4b2946096f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exeexplorta.exe4b2946096f.exechrome.exe

description	pid	process	target process
PID 2208 wrote to memory of 2696	2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe	explorta.exe
PID 2208 wrote to memory of 2696	2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe	explorta.exe
PID 2208 wrote to memory of 2696	2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe	explorta.exe
PID 2208 wrote to memory of 2696	2208	167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 2316	2696	explorta.exe	explorta.exe
PID 2696 wrote to memory of 692	2696	explorta.exe	amert.exe
PID 2696 wrote to memory of 692	2696	explorta.exe	amert.exe
PID 2696 wrote to memory of 692	2696	explorta.exe	amert.exe
PID 2696 wrote to memory of 692	2696	explorta.exe	amert.exe
PID 2696 wrote to memory of 1792	2696	explorta.exe	4b2946096f.exe
PID 2696 wrote to memory of 1792	2696	explorta.exe	4b2946096f.exe
PID 2696 wrote to memory of 1792	2696	explorta.exe	4b2946096f.exe
PID 2696 wrote to memory of 1792	2696	explorta.exe	4b2946096f.exe
PID 1792 wrote to memory of 1652	1792	4b2946096f.exe	chrome.exe
PID 1792 wrote to memory of 1652	1792	4b2946096f.exe	chrome.exe
PID 1792 wrote to memory of 1652	1792	4b2946096f.exe	chrome.exe
PID 1792 wrote to memory of 1652	1792	4b2946096f.exe	chrome.exe
PID 1652 wrote to memory of 852	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 852	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 852	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 1936	1652	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe
"C:\Users\Admin\AppData\Local\Temp\167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:692
- - C:\Users\Admin\1000013002\4b2946096f.exe
    "C:\Users\Admin\1000013002\4b2946096f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7689758,0x7fef7689768,0x7fef7689778
        5⤵
        
        PID:852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:2
        5⤵
        
        PID:1936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:8
        5⤵
        
        PID:2772
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:8
        5⤵
        
        PID:1524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:1
        5⤵
        
        PID:1752
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1532 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:1
        5⤵
        
        PID:1848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3024 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:1
        5⤵
        
        PID:1660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:2
        5⤵
        
        PID:1100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2684 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:1
        5⤵
        
        PID:1136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3472 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:8
        5⤵
        
        PID:2872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 --field-trial-handle=1376,i,7885021369476160083,9119080122004072883,131072 /prefetch:8
        5⤵
        
        PID:2720
- - C:\Users\Admin\AppData\Local\Temp\1000014001\fc86228073.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\fc86228073.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\4b2946096f.exe

Filesize
1.1MB

MD5
a70bf81674aa5e6f9b28c98831a695e6

SHA1
6f6ccd011f9a68740cc6a2fa0e92dc32907bc6f3

SHA256
c4fec87617a2a5cb4cf01017cd3aa3b23d9f593970e80f43fdcbaafdebe2b834

SHA512
7a675bf5ed7ad690bef58457cd5fee62d256734df74356896ea64949527c0b57745f526f9c8b803fd59412ffe7ac6c343cb74e2b6b01d34b6f69a51554722072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
407ae06f5027ac76b2410bbfb7afe584

SHA1
8ea6f479ec2087bbbebf03680bca8b8f972cc404

SHA256
075607ca4ac1991712f8923672cc78600e307811da67a3e5219379d3f4c25fb1

SHA512
7fe291166f6c330d6b9878e8d68e328e60b200ab47de904128a01a18390880d716569c0305590d0cedd841871b59ee8043eb8b4d1814296e62c12cf1b2c1ee51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0822938a8483f80d898fa19ab7f150e5

SHA1
42fe154f110887c88b82e04fad32a2ba9689d579

SHA256
91f44187eb7ad445545f3e2930d8c531f2160e9b423f7e803b15358d30a7eb6e

SHA512
88e76a923526cbb95ca581bdcd1bd8417dfd93f1bfb2605f113904f6a98d0e2e78b059d34aa8b99de45a649f266d59fdcd41ba3145cc545eed5e9c49b43a937e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
cfcc87ae735f541991dfa7df4aad1627

SHA1
69940b823b8700c6fb8c4154fb08b275bf39549c

SHA256
d06b7b6a621d292962fb891a0906e248f9a6d70aa5d9c790284affb5ee94d959

SHA512
0bc1a10eb3961b055044ca3194be3586b6486dd8fd6198601e407c801eb532790a3176bbd7b38e477ebc3b155868bf526bed5d4337a1341b2f334f840e5fdb13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
8c6cf14bf69f469192361a5fd412b0f5

SHA1
fbe40b502100fbc8e230824752882844d298e273

SHA256
8e007412494f93b5c141e7fd6023f36a0b746ad4268af709312b8ea025751a8c

SHA512
34401c465a9691b387c69d42032615a61a411aeb71dabfd34fdf0acf64f07c19bc912acb931ef7cec6f8678f21dfb09522d423dc59c969efe80b90db8e849a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFf7a3082.TMP

Filesize
523B

MD5
bdd0004d88d5e5d97e65cbf663d4dd7d

SHA1
b47155666fb8b40e457b19ffcc31390f513f622d

SHA256
539f0148a05110c42d2983a343bf0b6db0532a3440b2b259cb1ebe1e075c1601

SHA512
497f8c457f22a52331c676b8781d425b3e5c1283eef6bf99577ee7caa4f89753229854661c8d8b3b04f4f704278c8cd964b8ade66668ede305fb6505df67418d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a21fdf78c5d812e7a8c151521eda41b6

SHA1
a0341a3083ad6c2c243a2c9f1c5e2200436b76bc

SHA256
be123b15d5a2c63b71e0dceb4c2899c30bc4385142f700c456bd1be966a6fd37

SHA512
1b536de4300fbf05a51e2717ebbad8274e835e6c2abb7dc7e1e8cb9333a64c1f9af977309bd51c9a621a99701f15115773d5acc6aec4f8ba09d0ea1e97a13075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f64adeee3aa81b98ea2f7d9b02713ba9

SHA1
1d4a4426c0e639a9e5da9c37eb329499bbbc01ba

SHA256
5dfc8d331412c070e42c6515eee0e9bc8ca2d30fa9ac6120663ef2312f58a138

SHA512
bd8478d7fd09eb79f5857cea24ba79b3c207a37bea529c8397b754e0b6a7f27484131912a052e2a491f6df27ec54b79fe292995b0db2dd59e2549527105c95e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe

Filesize
1.8MB

MD5
78e87f051f07f1998e630e492b51cd76

SHA1
dab764fbab558ad2b59f58657bac366acb4b1fe4

SHA256
b9fdf54d1cabf91c8474f5caf17a5591b77d890ba8257f5baadbc5fb1c723dc3

SHA512
f6c195f90c0d4dadcf3541c0ab5c207a3c018a48c9c1a39618d5160eb3725cf4c6b036c0d1789cb91ecb9698e6de0d85c0414eb389a55cb32a3dd145af71ec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\fc86228073.exe

Filesize
2.3MB

MD5
40fbf4a4064a99cc0aa06b47420e829d

SHA1
747fef5df07e02c184ce2bf196c84f481a1a4e2a

SHA256
38aa4b13ddef75872d2082797f47ba42cdf7769b6b2e73599f23dd3b89891f2a

SHA512
dd774cdc654ec99e5f7334ce80a95b53e943d0773ef4e0ff348900621644e00569e64867de688b53d85ab5df3426fa60c91108b88c99e892707bae05e54ba494

Download Submit
\??\pipe\crashpad_1652_FLPORDNKTAOYPCWZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.8MB

MD5
2219c3ce108405ddb8cf2ddae48414f0

SHA1
3f96d7d308840f817a61489aca818c94d010d51a

SHA256
167c062059da1812083f1763921f7a35405224e7ef33c3baa22b449352054e76

SHA512
b34c335ddc297d2432754e6f553e643591963ebac0f8515a73f87209dacd95ee592b0a46110617e5fdfc4136fa347042c07f3c730824bbac4c64de5d1f245c54

Download Submit
memory/692-135-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/692-147-0x00000000010E0000-0x000000000159D000-memory.dmp

Filesize
4.7MB

Download
memory/692-129-0x00000000010E0000-0x000000000159D000-memory.dmp

Filesize
4.7MB

Download
memory/692-130-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/692-131-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/692-132-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/692-133-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/692-134-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/692-136-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/692-137-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/692-138-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/692-128-0x00000000010E0000-0x000000000159D000-memory.dmp

Filesize
4.7MB

Download
memory/1416-345-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-295-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-323-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-319-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-317-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-336-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-308-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/1416-306-0x0000000001050000-0x0000000001623000-memory.dmp

Filesize
5.8MB

Download
memory/2208-16-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2208-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2208-27-0x0000000007190000-0x000000000763B000-memory.dmp

Filesize
4.7MB

Download
memory/2208-18-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x00000000010A0000-0x000000000154B000-memory.dmp

Filesize
4.7MB

Download
memory/2208-15-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2208-14-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/2208-26-0x00000000010A0000-0x000000000154B000-memory.dmp

Filesize
4.7MB

Download
memory/2208-4-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2208-7-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2208-12-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2208-9-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2208-10-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2316-85-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-105-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2316-75-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-76-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-77-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-78-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-79-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-80-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-81-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-82-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-83-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-84-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-86-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-73-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-87-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-88-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-89-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-90-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-92-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-91-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-93-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-94-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-95-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-96-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-97-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-98-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-99-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2316-53-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-110-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2316-109-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/2316-111-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/2316-108-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/2316-107-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2316-106-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/2316-104-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2316-103-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2316-102-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2316-101-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2316-100-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2316-72-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-74-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-50-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-70-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-71-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-69-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-52-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-67-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-64-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-61-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-60-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-58-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-56-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-54-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/2696-122-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-68-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-49-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2696-127-0x0000000006B10000-0x0000000006FCD000-memory.dmp

Filesize
4.7MB

Download
memory/2696-51-0x000000000A230000-0x000000000A6DB000-memory.dmp

Filesize
4.7MB

Download
memory/2696-45-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2696-280-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-43-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2696-299-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-42-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2696-307-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-30-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2696-309-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-31-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2696-32-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2696-318-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-33-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2696-320-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-34-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2696-324-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-36-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2696-39-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2696-40-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2696-344-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download
memory/2696-41-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2696-37-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2696-38-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2696-35-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2696-29-0x0000000000E70000-0x000000000131B000-memory.dmp

Filesize
4.7MB

Download