amadey | 707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15/06/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
Size

1.8MB
MD5

511633d068a97859bf4d5f7e11f409ff
SHA1

2f40be2718d1d5edbf0c7ea5cd554b3e34d7fe2f
SHA256

707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a
SHA512

8533a98cb0880467c1e1571da621afd3f39a7ffca00efc075ad0a4762bdfc0ecb0a67f5a0894b59ac75d166da623c176affae422a341a5a691d2fc001814681b
SSDEEP

49152:LfWIcSFLZQkcbl/GRPpXX95mi1nFdvrEUHfr+/V+bzw5Oqm:LCSVZcpeNXOqF9HHTMd

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a8e831af52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a8e831af52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a8e831af52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
644	explortu.exe
4432	a8e831af52.exe
4852	21a5ca9782.exe
3316	axplong.exe
2296	ee7f893da8.exe
3700	explortu.exe
3148	axplong.exe
5036	explortu.exe
4744	axplong.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	a8e831af52.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\21a5ca9782.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\21a5ca9782.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa55-76.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
644	explortu.exe
4432	a8e831af52.exe
4852	21a5ca9782.exe
3316	axplong.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
3700	explortu.exe
3148	axplong.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
5036	explortu.exe
4744	axplong.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe
4852	21a5ca9782.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
File created	C:\Windows\Tasks\axplong.job	a8e831af52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628898370233776"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1560405787-796225086-678739705-1000\{06FF6463-4727-4095-9A0F-4DAD4625C389}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
644	explortu.exe
644	explortu.exe
4432	a8e831af52.exe
4432	a8e831af52.exe
3316	axplong.exe
3316	axplong.exe
1732	chrome.exe
1732	chrome.exe
3700	explortu.exe
3700	explortu.exe
3148	axplong.exe
3148	axplong.exe
5036	explortu.exe
5036	explortu.exe
4744	axplong.exe
4744	axplong.exe
4212	chrome.exe
4212	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
1732	chrome.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe
2296	ee7f893da8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4852	21a5ca9782.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 644	3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe	81
PID 3112 wrote to memory of 644	3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe	81
PID 3112 wrote to memory of 644	3112	707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe	81
PID 644 wrote to memory of 1156	644	explortu.exe	82
PID 644 wrote to memory of 1156	644	explortu.exe	82
PID 644 wrote to memory of 1156	644	explortu.exe	82
PID 644 wrote to memory of 4432	644	explortu.exe	83
PID 644 wrote to memory of 4432	644	explortu.exe	83
PID 644 wrote to memory of 4432	644	explortu.exe	83
PID 644 wrote to memory of 4852	644	explortu.exe	84
PID 644 wrote to memory of 4852	644	explortu.exe	84
PID 644 wrote to memory of 4852	644	explortu.exe	84
PID 4432 wrote to memory of 3316	4432	a8e831af52.exe	85
PID 4432 wrote to memory of 3316	4432	a8e831af52.exe	85
PID 4432 wrote to memory of 3316	4432	a8e831af52.exe	85
PID 644 wrote to memory of 2296	644	explortu.exe	86
PID 644 wrote to memory of 2296	644	explortu.exe	86
PID 644 wrote to memory of 2296	644	explortu.exe	86
PID 2296 wrote to memory of 1732	2296	ee7f893da8.exe	87
PID 2296 wrote to memory of 1732	2296	ee7f893da8.exe	87
PID 1732 wrote to memory of 3956	1732	chrome.exe	90
PID 1732 wrote to memory of 3956	1732	chrome.exe	90
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3048	1732	chrome.exe	91
PID 1732 wrote to memory of 3364	1732	chrome.exe	92
PID 1732 wrote to memory of 3364	1732	chrome.exe	92
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93
PID 1732 wrote to memory of 2700	1732	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe
"C:\Users\Admin\AppData\Local\Temp\707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1156
- - C:\Users\Admin\1000015002\a8e831af52.exe
    "C:\Users\Admin\1000015002\a8e831af52.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3316
- - C:\Users\Admin\AppData\Local\Temp\1000016001\21a5ca9782.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\21a5ca9782.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\1000017001\ee7f893da8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\ee7f893da8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb6ebdab58,0x7ffb6ebdab68,0x7ffb6ebdab78
        5⤵
        
        PID:3956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:2
        5⤵
        
        PID:3048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:3364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:2700
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:1
        5⤵
        
        PID:3580
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:1
        5⤵
        
        PID:536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:1
        5⤵
        
        PID:5108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:1
        5⤵
        
        PID:2216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3996 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4752
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:2992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:3544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:8
        5⤵
        
        PID:4860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1460 --field-trial-handle=1816,i,8444301069663180451,16303961881115517918,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\a8e831af52.exe

Filesize
1.8MB

MD5
515f0ca896c37e51764800d12a61afe3

SHA1
13e20848146cf08c8be0ad074ed03785a9d48569

SHA256
496ac6c3431c869dfd6ed7e299e86fe46ce5a0c41e3ce54f39a4f1ea8eb8e701

SHA512
bb43e46518ca8282480ee052d2de930c5ee5445a23d6a0f934e37b4e88e4a9f7ef00b4e909168e66b61258935c468b467f05168afab29a3a00fb20a682175e6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
66ec8c8a7fdb10b503900e6e3a705f55

SHA1
753e2119f464bd3f0887a7c7dcb97aa35322ac22

SHA256
c952e51f278c7801e3e36798d096e840ff49aff68961915a20cdbdcf78e3fd21

SHA512
8850ab6216eb3252e24fcee2249b53519b83d666dee600b98c622741274f38c5862074c7ffbf721d4bfa5820848443932260aedc445d866cdfb9a2ef34f5c009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
74534bde6180f929948a6bda93cdd7bb

SHA1
7553968ba22f236bab427d3d1b63ec63d15e5c1c

SHA256
80cea597223df98803592b9e3c5104bef57cb8430ec18d68c9908dd66b934081

SHA512
f5dfe4c67dfd48bcb9cb2cdd09a56157a01faec16936a1ac574c56fcb6bc1d48b44b6e7437d0bbd04fb2b97b9f4d8f7171eab2ed6fa8e3cd1afc46fc60513748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7ffe3978cc6b172d937271abb79679fc

SHA1
2f45d0d5c4dac7c69cd049f9386930d888359dde

SHA256
cd6f857c7780b689189005f49ac79b0029a54834aa7e6f43db4b54119763d66e

SHA512
976518826d4ee3103d9d7c23f52d48eab1275537d9a2515e06239ecce71d2e9a52c9ff8ab0671b27de9f6306e3fa4edd7bc4b6d0cc56cd304bdaf9e3ff6bca68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
d4775094bf51074e05aabd91b9a9fe40

SHA1
d19968d6f99fccbddb64f74dd93d1a3d55f6218c

SHA256
9368222c3751f6d82965cb2758718dfe6786efc54fddfee62b33eba7fd8257a2

SHA512
0bda92e0f08271b88d0bad1933570d9b3046da005e42cd6a86786380df56f86948120edbcef2a1c68a00788502d320195f53a5a9234cabfc236504e373a38b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7205c13db2b9eb694de97c675f97a9b0

SHA1
802535556af41145b591bcc9d886af57399c52f4

SHA256
3e7489f5ca056fd9001cab40a1c293c99609b86474f4b0e01540aefa62c692f6

SHA512
b55f04e8359a8ea92ab0904149fd8754c33804efa6993ed777c05e2d0f943d68356f516bb5b6943469e64483a95aeb2de450562fbc4a3ee4ca95951bcddf1ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
86b063e955d46ef1e2a9bd56cd4271d2

SHA1
f51f85adfd99f80bc4de4e9d7a5508b05285e6de

SHA256
382c4fe8ef519ee2a49acd272bdb82dcfa4745e9649f4c630196f901abb384a7

SHA512
0993374bef16ed968b26d5c98031186d5282b00ca8cf3b7da9a8699692bb8c1cd20fb8f907774e17e998753d0752ff4947296c1b4ac7fea0b908c77df3bd345c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ce08ea8b9cb1f55786e0bc4f12f5bef4

SHA1
c1acf55d554ab2cec7966238f9b9a6e66fad29d7

SHA256
5aee088fdec34ba60fe9addbea85e71ff4b9a5e498e4af9eb0d3be9fbaa16c51

SHA512
01046083a1b5faf0a44d17380cacf96e32aa2506b680575e4d4ab8338b686b3133c02ed89514ce48f123572195045d182cd53e0d619f65fc760936273388f997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
07cf215dab7f1250d13a5c69fb98f67e

SHA1
be2adbe2ddb5b7833d9041911fc7dfe50b6b616d

SHA256
e3b0d008bb7ea6fa462d2cc5dc479148bc257eb300ebf7a023a7be9871a4d0ec

SHA512
57dda44021aa3c12a1dbdeb43855ae6fa0d9394f068f20343eb3ce0b5520e51f69bd136da2566942aca9cb58e66370a4a00aab7ccc96c56d88909e82fd96d2ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ab8e05a8-62c5-4909-8a8b-ed2b7c5b822c.tmp

Filesize
276KB

MD5
dfae1a522f0e2d99f9a6faa8ae37e3ac

SHA1
0e6026014aaad7df8aff09a31c6b7dd4c33acab9

SHA256
ea5aef76d774385a44dffd435f0f9bca9050a79b1718047f30c70c41cba58ae0

SHA512
7b5e7d059a92ee3da89bd44f96717407e7104c197a6fa8763f000f4dc61fcd9e5673777f2f9844346b7b50419065fa36103bd069c48c1e9349282c99404bdadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\21a5ca9782.exe

Filesize
1.3MB

MD5
807a47c7a26cd56e25525927c42b7ab5

SHA1
57b84c769fa1554f906c5ae5531fe4d34f508f04

SHA256
fd31856fe57e9c46a03b41329e3de00f9fadebe87494c3622e86623118c7a478

SHA512
d6c1f3ba2e37e695f9deea0cf14a06c4bc1cb91e304360b03c0e5b6bd7f730b2089d6c86daaccf5b2d6b353651b4f7b44836202dc1a9d2b526a1754cf35f5925

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\ee7f893da8.exe

Filesize
1.1MB

MD5
94c3e9dc44b8776921399f6dd944dea8

SHA1
d3f19789e31ec09ee3b3394f865ef80b3343cd4f

SHA256
826c5e2b824cfb2bc574de9257052376b7b32729aeb80742842e4a92ada0dded

SHA512
fc37b31bc489465a90857987e9a8fdb3a797ec0d2ea22ccb0cecaec670f29e5372acfba1af966b4df50cacee9ae57f0a587941e4c0ac7fb29fd199339249ac02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
511633d068a97859bf4d5f7e11f409ff

SHA1
2f40be2718d1d5edbf0c7ea5cd554b3e34d7fe2f

SHA256
707115b4eb414aee94081531ab3644e8f9e4559da4b11b7e0f77e8359a928a2a

SHA512
8533a98cb0880467c1e1571da621afd3f39a7ffca00efc075ad0a4762bdfc0ecb0a67f5a0894b59ac75d166da623c176affae422a341a5a691d2fc001814681b

Download Submit
memory/644-21-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-162-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-253-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-282-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-190-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-20-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-136-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-250-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-247-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-19-0x0000000000731000-0x000000000075F000-memory.dmp

Filesize
184KB

Download
memory/644-202-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-18-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-161-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-261-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-205-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-238-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-235-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-174-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/644-209-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/3112-2-0x00000000004A1000-0x00000000004CF000-memory.dmp

Filesize
184KB

Download
memory/3112-1-0x00000000778D6000-0x00000000778D8000-memory.dmp

Filesize
8KB

Download
memory/3112-3-0x00000000004A0000-0x000000000093F000-memory.dmp

Filesize
4.6MB

Download
memory/3112-4-0x00000000004A0000-0x000000000093F000-memory.dmp

Filesize
4.6MB

Download
memory/3112-17-0x00000000004A0000-0x000000000093F000-memory.dmp

Filesize
4.6MB

Download
memory/3112-0-0x00000000004A0000-0x000000000093F000-memory.dmp

Filesize
4.6MB

Download
memory/3148-189-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3148-186-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-237-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-183-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-284-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-145-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-204-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-249-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-207-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-263-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-241-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-180-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-192-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-211-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-252-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-173-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-71-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3316-255-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/3700-188-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/3700-184-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/4432-70-0x0000000000FD0000-0x000000000146E000-memory.dmp

Filesize
4.6MB

Download
memory/4432-39-0x0000000000FD0000-0x000000000146E000-memory.dmp

Filesize
4.6MB

Download
memory/4744-246-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/4744-244-0x00000000005A0000-0x0000000000A3E000-memory.dmp

Filesize
4.6MB

Download
memory/4852-210-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-254-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-248-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-191-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-144-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-251-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-239-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-172-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-236-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-283-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-182-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-206-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-262-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-56-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-55-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/4852-203-0x0000000000600000-0x0000000000B32000-memory.dmp

Filesize
5.2MB

Download
memory/5036-245-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download
memory/5036-242-0x0000000000730000-0x0000000000BCF000-memory.dmp

Filesize
4.6MB

Download