amadey | 5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
Size

1.8MB
MD5

67e3d83c9f36d8d2a69f631f8ab56470
SHA1

2fbcb73ccda5ab0383eac715bb33163c942954bd
SHA256

5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed
SHA512

d73a5a12523656d51ecd4e50f79b3e96dae9d9e06cb2461b82331e615a33d601cef8d9bca2f127adc3a25e9ba1be4f56eb43871433b1ece77ba697b4a62e0488
SSDEEP

49152:N3/bn8EG04HH89Z1Q1nFtMoZ9Fx2hdL5lZ:NjnqPHkC1nFtB9IZZ

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.93:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a5c828cb9c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	4532	rundll32.exe
37	4576	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a5c828cb9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a5c828cb9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe

Executes dropped EXE 7 IoCs

pid	Process
4632	explorta.exe
1940	amert.exe
3820	e3f2c003cd.exe
1164	a5c828cb9c.exe
3620	chrosha.exe
1104	explorta.exe
3552	explorta.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	a5c828cb9c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	rundll32.exe
4532	rundll32.exe
4576	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\e3f2c003cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\e3f2c003cd.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5c828cb9c.exe = "C:\\Users\\Admin\\1000017002\\a5c828cb9c.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa14-54.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
4632	explorta.exe
1940	amert.exe
1164	a5c828cb9c.exe
3620	chrosha.exe
1104	explorta.exe
3552	explorta.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\chrosha.job	amert.exe
File created	C:\Windows\Tasks\explorta.job	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590005760527039"	chrome.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
4632	explorta.exe
4632	explorta.exe
1940	amert.exe
1940	amert.exe
4760	chrome.exe
4760	chrome.exe
1164	a5c828cb9c.exe
1164	a5c828cb9c.exe
3620	chrosha.exe
3620	chrosha.exe
1104	explorta.exe
1104	explorta.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
4532	rundll32.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
3552	explorta.exe
3552	explorta.exe
2028	chrome.exe
2028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe
Token: SeShutdownPrivilege	4760	chrome.exe
Token: SeCreatePagefilePrivilege	4760	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
4760	chrome.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
4760	chrome.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe
3820	e3f2c003cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4632	1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe	82
PID 1868 wrote to memory of 4632	1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe	82
PID 1868 wrote to memory of 4632	1868	5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe	82
PID 4632 wrote to memory of 2804	4632	explorta.exe	83
PID 4632 wrote to memory of 2804	4632	explorta.exe	83
PID 4632 wrote to memory of 2804	4632	explorta.exe	83
PID 4632 wrote to memory of 1940	4632	explorta.exe	84
PID 4632 wrote to memory of 1940	4632	explorta.exe	84
PID 4632 wrote to memory of 1940	4632	explorta.exe	84
PID 4632 wrote to memory of 3820	4632	explorta.exe	85
PID 4632 wrote to memory of 3820	4632	explorta.exe	85
PID 4632 wrote to memory of 3820	4632	explorta.exe	85
PID 3820 wrote to memory of 4760	3820	e3f2c003cd.exe	86
PID 3820 wrote to memory of 4760	3820	e3f2c003cd.exe	86
PID 4760 wrote to memory of 1684	4760	chrome.exe	89
PID 4760 wrote to memory of 1684	4760	chrome.exe	89
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1276	4760	chrome.exe	90
PID 4760 wrote to memory of 1184	4760	chrome.exe	91
PID 4760 wrote to memory of 1184	4760	chrome.exe	91
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92
PID 4760 wrote to memory of 3988	4760	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe
"C:\Users\Admin\AppData\Local\Temp\5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\1000016001\e3f2c003cd.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\e3f2c003cd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc517cab58,0x7ffc517cab68,0x7ffc517cab78
        5⤵
        
        PID:1684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:2
        5⤵
        
        PID:1276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:8
        5⤵
        
        PID:1184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:8
        5⤵
        
        PID:3988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:1
        5⤵
        
        PID:4180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:1
        5⤵
        
        PID:2900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3900 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:1
        5⤵
        
        PID:4400
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:8
        5⤵
        
        PID:1008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:8
        5⤵
        
        PID:3152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:8
        5⤵
        
        PID:920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1732,i,9126542036684400700,3197628112411422077,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
- - C:\Users\Admin\1000017002\a5c828cb9c.exe
    "C:\Users\Admin\1000017002\a5c828cb9c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3620
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:1540
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5088
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4576

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000017002\a5c828cb9c.exe

Filesize
2.3MB

MD5
89b1c9afd6d4d2965e3db0df0188acd0

SHA1
75776c7ecd7f10359598261bbb223a72a2cf9bb3

SHA256
525c1df58f934b5f785fb977d040e96648c36eeaf7a1c16643bee25428da235d

SHA512
a8cdd1b62bd7d08080143cb4533da0e1a6183e16036134dafcfefe36336b8426c3f6300fcc29878308758f59611032a621ca24d2e61e8e0a983f586317e08608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
c44389cede021c7cdce462230e75ff71

SHA1
a7ee9f4ce5ccd63f59bd60ea2958a381c813ec23

SHA256
6cd31dbf4511b78d8024cff2fb7ce101b1e49df26fe3ca333d44ba2153560d3f

SHA512
3075259a5308cbd1ddeda5bb4c71cdc88854947ed7a80de9cf1ef31c9c1349bb2840398aa22f6b96e6a17946017363d1b106357b54c4ddc66e7429965b605b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
97e02491e1403681932083b520f4fd2c

SHA1
291a3067c0e743442470e1182ce5815b84380932

SHA256
4553fbbc6c1356cacfbcf55110e9a601c35e9d55946c1ebdb8847dcfb32451a1

SHA512
61ecea270ef2b4daf606668c7b5b19e33dbf3a9ec0fc9bf7264b1b6f26d5d21399e7020c2485df240193ff0cb13d0065d9fd001f855e460f29841e29ca7f965e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
390a607ce812ca96483c50f3bd393af1

SHA1
fdf349f2b7ba344e20451030b84ad37ee4bfa829

SHA256
48ccb713bbce7a7dd6a89f9c4f9a562b232139f0103bcdc818f3ab55f0043294

SHA512
997037f992af9ddd5a71b42a29b3295ce0677a659eab6944ed93ca62cef8572e40d79400cb3f9f6cffe12c69172dff4f84c6fccb34bb7d5c90761ffcc86513a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
9ffb35f6aa6bbd6139bd0c1935ec2594

SHA1
251923fd5baad8e852cf7688eb0e0766dda2d0a7

SHA256
6e389eb4f43e3df53255c6b1756df1557ebb335a29d4b8874d2a5f2301ebba0f

SHA512
7298956a4adb61b37ab7db988e7efcf27f2f06b8f21a5e00d3ca8aa53166577b9dce245d285ae96cca0f4398f1057d8ab7e3788a47e333d2c6aec2be72896e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
703f0360a3b51c0ec4ad73b71e023422

SHA1
1b0ab1d48504d42b6da8fcf38b079f1695208097

SHA256
1190a42fe096a5bdb93b99e4ff9fb4c446cf7f6788e838cdc157ce77262b71a7

SHA512
ae3eeda6f52e23a58360668fa491524ce83553d2345e9e68236eb42001b83aeefc12e99e25a5f8c953253bcac711e432f5edaa7fa398d4addc12f1b83efbbd3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a14a6eb0a8deb9c0a725c9dc282dfb73

SHA1
5311e029f83f0dcd9bc96927ef8bf3e84551415b

SHA256
d5c67ebd914870988504bd71297af4d428c3acd948f8ac8474e31235183e7396

SHA512
b2ef98e0c301c37cf32b3b59bc9be8d1d2d5826d430b4fed1d2ae4c7c4be44a22d4da6da72fbc60170f09ee2850038126c1e74fab29763b21f41b0f3d92afa37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
d1e23f12d56f503bfe477d2f7d1c7293

SHA1
b361d87ce1929fad638cd477f14d7450e24c0327

SHA256
e1c27a617b8489da15f2820d78473c73f4f6c720ea4cc0ba955da79066d6d27c

SHA512
2a407f59c25fa8fc6921b0776c071596e86015633326f10075bb1910852702741d6bf310ee0ad4d1526fadf3de41698b070feff3f240eb47eaefdcd6dde51e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

Filesize
1.8MB

MD5
2c7042f8a224df7a3714de017054b6cd

SHA1
375c7745bbaf961a2b7e82f8370e8047cae7a449

SHA256
abb653f47ccc396608307f519ddb4e292a08bca6234de18a8f4adbb5f20f941e

SHA512
a4822fdb251c4cb26ddb6adc04cb1db76e4afcaf3508b970c1030ec92cace671825ebdad91a3cbb60017f4794064a46cd514510ecccb491d14c2fa35cb4279af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\e3f2c003cd.exe

Filesize
1.1MB

MD5
dd2a6f8b3680c176cd8426b435537bc5

SHA1
25267bb6df357a3bc598bd3451b3400da40b59c5

SHA256
b4c60c726ec992939fda147687cc225b8301c340cf58a3553454015743f98730

SHA512
307baef0081f2982cafb8effae856ff4b9205cc7b6e1f7f8c109812a005cd491182dcedbccdd33286e37cc7c9c23bb3d0943f43ac98a227431d4e46655ff6daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.8MB

MD5
67e3d83c9f36d8d2a69f631f8ab56470

SHA1
2fbcb73ccda5ab0383eac715bb33163c942954bd

SHA256
5dd74d7f3408081e7f368e03ef8bf6546c31364df6391941498ac3a96ce773ed

SHA512
d73a5a12523656d51ecd4e50f79b3e96dae9d9e06cb2461b82331e615a33d601cef8d9bca2f127adc3a25e9ba1be4f56eb43871433b1ece77ba697b4a62e0488

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uw01zwc1.ple.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/1104-183-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/1104-181-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/1164-271-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-175-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-184-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-264-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-297-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-225-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-244-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-274-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-261-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-285-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-137-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-240-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-277-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1164-161-0x00000000003F0000-0x00000000009C7000-memory.dmp

Filesize
5.8MB

Download
memory/1868-7-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1868-6-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1868-4-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/1868-5-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000076FA6000-0x0000000076FA8000-memory.dmp

Filesize
8KB

Download
memory/1868-3-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1868-8-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1868-9-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/1868-0-0x0000000000CF0000-0x00000000011A9000-memory.dmp

Filesize
4.7MB

Download
memory/1868-22-0x0000000000CF0000-0x00000000011A9000-memory.dmp

Filesize
4.7MB

Download
memory/1868-2-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1940-49-0x0000000000910000-0x0000000000DCA000-memory.dmp

Filesize
4.7MB

Download
memory/1940-74-0x0000000000910000-0x0000000000DCA000-memory.dmp

Filesize
4.7MB

Download
memory/3552-270-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/3552-268-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/3620-227-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-279-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-276-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-273-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-287-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-246-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-228-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-186-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-179-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-267-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-242-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-299-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/3620-263-0x0000000000D50000-0x000000000120A000-memory.dmp

Filesize
4.7MB

Download
memory/4632-169-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-26-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/4632-30-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4632-262-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-245-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-24-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4632-265-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-241-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-143-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-226-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-25-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/4632-272-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-176-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-31-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4632-275-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-185-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-27-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/4632-278-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-298-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-28-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/4632-286-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-23-0x0000000000EB0000-0x0000000001369000-memory.dmp

Filesize
4.7MB

Download
memory/4632-29-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/5088-217-0x0000017D28B10000-0x0000017D28B32000-memory.dmp

Filesize
136KB

Download
memory/5088-218-0x0000017D29120000-0x0000017D29132000-memory.dmp

Filesize
72KB

Download
memory/5088-219-0x0000017D28C90000-0x0000017D28C9A000-memory.dmp

Filesize
40KB

Download