amadey | 022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
14/06/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Size

1.8MB
MD5

fc8b4ad76d2b7b814f6fcaeed5d0af75
SHA1

b14cd344e70a5fec100925d32d08399671e4f434
SHA256

022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
SHA512

51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347
SSDEEP

49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0475a1f4f0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0475a1f4f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0475a1f4f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 9 IoCs

pid	Process
1140	explortu.exe
3576	0475a1f4f0.exe
2824	axplong.exe
952	3d9e59d87a.exe
4948	e8ae7510b5.exe
4964	axplong.exe
4708	explortu.exe
5028	axplong.exe
3140	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	0475a1f4f0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d9e59d87a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\3d9e59d87a.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa7d-77.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
1140	explortu.exe
3576	0475a1f4f0.exe
952	3d9e59d87a.exe
2824	axplong.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
4964	axplong.exe
4708	explortu.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
5028	axplong.exe
3140	explortu.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe
952	3d9e59d87a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
File created	C:\Windows\Tasks\axplong.job	0475a1f4f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628487439570666"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{16481371-85AD-4C04-9361-EE55E268B349}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
1140	explortu.exe
1140	explortu.exe
3576	0475a1f4f0.exe
3576	0475a1f4f0.exe
2824	axplong.exe
2824	axplong.exe
4040	chrome.exe
4040	chrome.exe
4964	axplong.exe
4964	axplong.exe
4708	explortu.exe
4708	explortu.exe
5028	axplong.exe
5028	axplong.exe
3140	explortu.exe
3140	explortu.exe
1488	chrome.exe
1488	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
3576	0475a1f4f0.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4948	e8ae7510b5.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4040	chrome.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4948	e8ae7510b5.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe
4948	e8ae7510b5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	3d9e59d87a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1140	2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe	80
PID 2376 wrote to memory of 1140	2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe	80
PID 2376 wrote to memory of 1140	2376	022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe	80
PID 1140 wrote to memory of 2240	1140	explortu.exe	81
PID 1140 wrote to memory of 2240	1140	explortu.exe	81
PID 1140 wrote to memory of 2240	1140	explortu.exe	81
PID 1140 wrote to memory of 3576	1140	explortu.exe	82
PID 1140 wrote to memory of 3576	1140	explortu.exe	82
PID 1140 wrote to memory of 3576	1140	explortu.exe	82
PID 3576 wrote to memory of 2824	3576	0475a1f4f0.exe	83
PID 3576 wrote to memory of 2824	3576	0475a1f4f0.exe	83
PID 3576 wrote to memory of 2824	3576	0475a1f4f0.exe	83
PID 1140 wrote to memory of 952	1140	explortu.exe	84
PID 1140 wrote to memory of 952	1140	explortu.exe	84
PID 1140 wrote to memory of 952	1140	explortu.exe	84
PID 1140 wrote to memory of 4948	1140	explortu.exe	85
PID 1140 wrote to memory of 4948	1140	explortu.exe	85
PID 1140 wrote to memory of 4948	1140	explortu.exe	85
PID 4948 wrote to memory of 4040	4948	e8ae7510b5.exe	86
PID 4948 wrote to memory of 4040	4948	e8ae7510b5.exe	86
PID 4040 wrote to memory of 960	4040	chrome.exe	89
PID 4040 wrote to memory of 960	4040	chrome.exe	89
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 1968	4040	chrome.exe	90
PID 4040 wrote to memory of 4200	4040	chrome.exe	91
PID 4040 wrote to memory of 4200	4040	chrome.exe	91
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92
PID 4040 wrote to memory of 2760	4040	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
"C:\Users\Admin\AppData\Local\Temp\022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2240
- - C:\Users\Admin\1000015002\0475a1f4f0.exe
    "C:\Users\Admin\1000015002\0475a1f4f0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2824
- - C:\Users\Admin\AppData\Local\Temp\1000016001\3d9e59d87a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\3d9e59d87a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\1000017001\e8ae7510b5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\e8ae7510b5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1d95ab58,0x7fff1d95ab68,0x7fff1d95ab78
        5⤵
        
        PID:960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:2
        5⤵
        
        PID:1968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:4200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:2760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:1
        5⤵
        
        PID:2516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:1
        5⤵
        
        PID:3204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:1
        5⤵
        
        PID:2176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4448 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:1
        5⤵
        
        PID:1816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4536 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:3120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:4964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:8
        5⤵
        
        PID:3980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1844,i,9418531550786099249,17395347143858576800,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\0475a1f4f0.exe

Filesize
1.8MB

MD5
998706725634e1581ecc107925f4478c

SHA1
bf893b7e7232cca87f270d40fd01b338e5a1994e

SHA256
bd3db9aa6426b8c4fcfdcdd7f77905c55350e4b8f84d83837fe903785016d2a9

SHA512
e9683cc11951a3ab7a396e15cb4159b771c4b54a516067f1268271d002ba1288edbbf823378b847becae00e44e808b7d6cdb6f50f8121e98ebbdf049f5837fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
dd4b3020a3219b030c833367bdd620e1

SHA1
53c46125825627f45ea26ed4857e8bd1aeeee3e8

SHA256
72a400070967570e4620a8fcbde34cac38026e7aa5c74f50d20d3f23801f0ad3

SHA512
c15c648501a7fe73725ee1ae8147a8bc2270d1bd074fd71c760f0e631a5108cd9f8e7ab30a2a98c3c6f227b92663a6cdc12fce9c7c25da671e631c88c235ff38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5798d75b7c8381c6ecde8e4132f91cc5

SHA1
7e6f222ed8f67cdcedd054afc398f67f0d12b2d8

SHA256
5cc3f4d44c7660ba015371517d0f15ba210f6acc1233b9b8060ac940a56d0a18

SHA512
149314595b2074e887d3eb112df61b4e0d17233fa8ea8c27e0afbef2e4d6415312d031052895234a2c8f789b7260726398d362c83009c17a77b6b6517c410e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a2c239ade31f963d4d0b9d1354222961

SHA1
bd78afaf1e54933ee56349b9f4d53a97e4a6c00f

SHA256
5b39d9c7a7b526bed25b38dcad05c25da66a6a8990dfd78003a99070eb8af7ac

SHA512
ef3cba5c0a114ccdd4a23bbd2fc33a6297ab1351f1662b1689a8ddabeedb95ab68c236e2b76141f412cc93f91fc104fb4836484e9ffeff369a9a3493ec439659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
fd9a8d2ec46b090443318efdbe36d5ad

SHA1
60697fa07b9dec329518ae450c9c5f9aa7616099

SHA256
34191aa407cdcfab84896b2a4dcb716eaf0b5488f21fac4f1831f73f5220193f

SHA512
1fa8223e7b9fd3fd2bb6d54b36fab18019029a713726b47259b10ba39b478d610d3631298594d17644b1994474084ce0cdea8c08d8160f5eeb63adf106e2e65c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
36b7de91933fa33361784321c61306d9

SHA1
1341cdb102f16adba5268b72c28007da5a320382

SHA256
179584109ab3ae5a019e7b34a24308676233f841214ab44770d9a3a02a4c8842

SHA512
b3a3ed149b210b9a1d69b719e0f816d6edec3bd7a7d3c58db16676b90e76b82444fff4948a4f2309f090bb8953d50758f3dae1e43d359cc68797801b7f8ef5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0fb91b794e22876142e6185aa9aa097c

SHA1
075095cb09d53b0c15c1063524773549f04cc3aa

SHA256
8bd49d7b96ffcef39081a6b19dbe48c0e78fb90a10c34feab423496a5cf83144

SHA512
214b5cb0d359ef05734096c32412b4b1be6ae694690ae54452d964c200af0283c5f99089b603df9187c55a287e108e9636dda6c8e7d3b82385e4edd615fb5890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
acc882b09819b20fc807b5f02b5fae5c

SHA1
2eb26321da74168a08be663327324f2a74ca779c

SHA256
f1a55d4af88f0183011f42d085eb66c97496e93554b2a2b6fbb3951fabd941d3

SHA512
80d5212d6f2443bb33fdc0cabfe866e0ef4433a130db132a2fd23601eef082892d5c5f2cda8bfed963b347a250a7da2a03012dab7eeafc95d1f1e6f63d693711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
1c3171b228e7359e9e0321857b859496

SHA1
0bc49c40f99a5d4e32c92fcc50ac0239dc4e2d50

SHA256
bf6944ebfcbd4de588dea5906233a2e999fce32c9e8b8d491106093767392633

SHA512
76c20dc17a0655e47bcc371c7cb641f086c39ace17a9ce424a97edfa17faff2b70a9820b95e527c17ce15b88365c7d32354cef9f18ededdf51c88eb69b256017

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\3d9e59d87a.exe

Filesize
1.3MB

MD5
82b6928753e4200f3eca9fb875d54ae5

SHA1
a3fb800a6c16feaddadf455ef3bdca52d3041c17

SHA256
7219500754a154a827e95bc7f9ad2d36047b024d0efd2cdd14427a3ba5904251

SHA512
a596994bc02dbba6683be46fe3e58c7877d44df4103c2fe61714bf910cc4bb502ce2a93c16b4c193bf1cc20dbd3b2b9c70d46bd48f7aeb65a8d22bac7f66c7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\e8ae7510b5.exe

Filesize
1.1MB

MD5
eeca7475e0c5e8d6935c229b7c0d83d2

SHA1
26c9de87a8dce878446df12fbb9b2277a0fee970

SHA256
a06c7c2fba7a355d0c4c59f530855dcc28c1bcc2d53b596cb208347a10e296e9

SHA512
b29aaae9b7d262c42aa12aff37e0e28c3188ef055057d90b66460446ddeb1fe58b6146af0ace1f3c24a713f7a6e7550a557f4f982918914f686c0d6fdfa58c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
fc8b4ad76d2b7b814f6fcaeed5d0af75

SHA1
b14cd344e70a5fec100925d32d08399671e4f434

SHA256
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

SHA512
51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347

Download Submit
memory/952-212-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-145-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-70-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-174-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-238-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-205-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-248-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-208-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-193-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-190-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-251-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-254-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-257-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-265-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-177-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/952-277-0x0000000000230000-0x0000000000762000-memory.dmp

Filesize
5.2MB

Download
memory/1140-191-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-252-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-175-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-163-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-266-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-263-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-162-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-255-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-18-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-249-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-146-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-19-0x00000000001A1000-0x00000000001CF000-memory.dmp

Filesize
184KB

Download
memory/1140-239-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-20-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-203-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-21-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-99-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-206-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-227-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/1140-210-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/2376-0-0x0000000000F10000-0x00000000013CB000-memory.dmp

Filesize
4.7MB

Download
memory/2376-1-0x00000000775D6000-0x00000000775D8000-memory.dmp

Filesize
8KB

Download
memory/2376-2-0x0000000000F11000-0x0000000000F3F000-memory.dmp

Filesize
184KB

Download
memory/2376-3-0x0000000000F10000-0x00000000013CB000-memory.dmp

Filesize
4.7MB

Download
memory/2376-5-0x0000000000F10000-0x00000000013CB000-memory.dmp

Filesize
4.7MB

Download
memory/2376-17-0x0000000000F10000-0x00000000013CB000-memory.dmp

Filesize
4.7MB

Download
memory/2824-237-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-253-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-144-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-211-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-276-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-264-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-256-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-247-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-192-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-189-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-250-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-207-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-173-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-61-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/2824-204-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/3140-246-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/3140-243-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/3576-39-0x0000000000B60000-0x0000000001017000-memory.dmp

Filesize
4.7MB

Download
memory/3576-60-0x0000000000B60000-0x0000000001017000-memory.dmp

Filesize
4.7MB

Download
memory/4708-188-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/4708-180-0x00000000001A0000-0x000000000065B000-memory.dmp

Filesize
4.7MB

Download
memory/4964-187-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/4964-178-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/5028-245-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download
memory/5028-241-0x0000000000E00000-0x00000000012B7000-memory.dmp

Filesize
4.7MB

Download