amadey | 752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
17-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
Size

1.8MB
MD5

83c6eb289b11216a78d740ef9912c532
SHA1

1d6281b4eb9934e29710546732267bca499807da
SHA256

752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091
SHA512

2a591fc1e632b0a8d53b8288be704d773a492551cde99581a2edf902ffbdb6946c2736778e6b3e6929d000ca2ea510caed91bed57bd6718212c2ea6d6ef556f6
SSDEEP

49152:nR0vundVt1iG8WNDbB6RCmYcBcg6fcikgfUn:nRfddiG8W6Rk+cDhw

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a85c59269a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a85c59269a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a85c59269a.exe

Executes dropped EXE 9 IoCs

pid	Process
940	explortu.exe
1544	a85c59269a.exe
2744	dfbdfeba95.exe
4996	axplong.exe
1388	7c73993919.exe
4848	axplong.exe
3632	explortu.exe
3508	axplong.exe
900	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	a85c59269a.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfbdfeba95.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\dfbdfeba95.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aaa4-77.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
940	explortu.exe
1544	a85c59269a.exe
4996	axplong.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
4848	axplong.exe
3632	explortu.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
3508	axplong.exe
900	explortu.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe
2744	dfbdfeba95.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
File created	C:\Windows\Tasks\axplong.job	a85c59269a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630611217560763"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-423582142-4191893794-1888535462-1000\{C767CBA0-1FD7-44A5-BA78-FEB6999A5204}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
940	explortu.exe
940	explortu.exe
1544	a85c59269a.exe
1544	a85c59269a.exe
4996	axplong.exe
4996	axplong.exe
4688	chrome.exe
4688	chrome.exe
4848	axplong.exe
4848	axplong.exe
3632	explortu.exe
3632	explortu.exe
3508	axplong.exe
3508	axplong.exe
900	explortu.exe
900	explortu.exe
4756	chrome.exe
4756	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
1388	7c73993919.exe
1388	7c73993919.exe
4688	chrome.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe
1388	7c73993919.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	dfbdfeba95.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 940	3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe	81
PID 3700 wrote to memory of 940	3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe	81
PID 3700 wrote to memory of 940	3700	752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe	81
PID 940 wrote to memory of 4992	940	explortu.exe	82
PID 940 wrote to memory of 4992	940	explortu.exe	82
PID 940 wrote to memory of 4992	940	explortu.exe	82
PID 940 wrote to memory of 1544	940	explortu.exe	83
PID 940 wrote to memory of 1544	940	explortu.exe	83
PID 940 wrote to memory of 1544	940	explortu.exe	83
PID 940 wrote to memory of 2744	940	explortu.exe	84
PID 940 wrote to memory of 2744	940	explortu.exe	84
PID 940 wrote to memory of 2744	940	explortu.exe	84
PID 1544 wrote to memory of 4996	1544	a85c59269a.exe	85
PID 1544 wrote to memory of 4996	1544	a85c59269a.exe	85
PID 1544 wrote to memory of 4996	1544	a85c59269a.exe	85
PID 940 wrote to memory of 1388	940	explortu.exe	86
PID 940 wrote to memory of 1388	940	explortu.exe	86
PID 940 wrote to memory of 1388	940	explortu.exe	86
PID 1388 wrote to memory of 4688	1388	7c73993919.exe	87
PID 1388 wrote to memory of 4688	1388	7c73993919.exe	87
PID 4688 wrote to memory of 2384	4688	chrome.exe	90
PID 4688 wrote to memory of 2384	4688	chrome.exe	90
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 648	4688	chrome.exe	91
PID 4688 wrote to memory of 4988	4688	chrome.exe	92
PID 4688 wrote to memory of 4988	4688	chrome.exe	92
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93
PID 4688 wrote to memory of 3512	4688	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe
"C:\Users\Admin\AppData\Local\Temp\752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4992
- - C:\Users\Admin\1000015002\a85c59269a.exe
    "C:\Users\Admin\1000015002\a85c59269a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4996
- - C:\Users\Admin\AppData\Local\Temp\1000016001\dfbdfeba95.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\dfbdfeba95.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\1000017001\7c73993919.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\7c73993919.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff17c1ab58,0x7fff17c1ab68,0x7fff17c1ab78
        5⤵
        
        PID:2384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:2
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:4988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:3512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:1
        5⤵
        
        PID:2204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:1
        5⤵
        
        PID:4660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:1
        5⤵
        
        PID:5044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3212 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:1
        5⤵
        
        PID:1524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4388 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:4624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:2392
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:2260
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:5024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:8
        5⤵
        
        PID:3228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2016,i,1888582791468945933,18390722112970571327,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3632

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\a85c59269a.exe

Filesize
1.8MB

MD5
f35998aadf7927a6691b014bff78e263

SHA1
c0f3e464c4db18dfdd9ee56e187870dc1a8cad14

SHA256
65b83951ec032ba7108ec6d84b9c50236f913420d55a36818a5ad36c604c83f3

SHA512
931489217e7cafa3e116174028c1c3de5edacc9628c9df6b4bc4ecb8d9cea13d2a06590230ba65ab7aed65b8ee50e1c2ba67a250edad96a3eaec2d30ad6c2ee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
7380a1d7e0ac615b0953fabc255215de

SHA1
ca43ac165bf9510bf5d54ac1470de94b90393aba

SHA256
8222f17fe9ece1716590be81e7ba0fe6f718fab6f936c029563011572e4c6685

SHA512
f6428d16709b9323263477cef1d5bfa3e2aa5de1d95f478eeaef12c72bf86ff4800fefc408e0f7ceb76dc9473516c81d3bb640552d6d4ab5c67d7af6be7af3c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
de52de35d80f368069f454d6c0e955b0

SHA1
c24f507f6d888f5fa3cc1d984bc49be5a9d287cb

SHA256
eb349426b8ed801de13508e29cb5145767139972561faa97c832fa73c8ac24f0

SHA512
dc11111d9006febc72a152ecb7a16563c785db5a76815eb789099f691c82756eb51a2f13e43a1095fa11d9c8a7e716e13585c9316183467bea4b65203fa35945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3f11b8e2334051ac2e1adeff1eadd1df

SHA1
88331afc2143b0963b13b8c2b13049918d2bca5f

SHA256
6bb8d455dd8004dc280a7595b7be274129b8b320b6a3aaf021dbd1f9201c1e82

SHA512
5e2877be17a186d5e9a7c7126ce754a8d3e3ab8caf5da6a203fbbd2d5937c47621e749801384e8eb391f488e6ce453635a6b4ac3725e82d2eb18ad4a72fef201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f5c7a04e8aca17bc5fc66d2d6e1fae85

SHA1
919f184e17b99936a11786eb33abdf43f9487cd3

SHA256
745e180aa0aa14c1e530f64393608b1506ed9b0aba13a55f12a218c689ba326c

SHA512
cefef4c7d474b435c862f2476112011bbeacfed378a87c5a1ddd7c3b7a56732def27c500b5cc84df73247e75583f00ec28e5d6cb1833237853a6773c24c3a14f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
aee599ac9ed1cf4d47036ae26ea8a938

SHA1
8cbe1fb886739ffcdfcc6fbd338e1cf1415beaf7

SHA256
bcb3c9262f61a0b4280de0ad8a7e2745ceb6705655a7f7082e18c7538435ca3a

SHA512
e3e0255be24ab6c01cdcfcf936f5356701bb157a07d172de2906182ad615e237b892822c10a59cf99d869111c2467fda4b3075ab137f4f657d554768f3eb5c2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f237f5433a503d468e05d5b62cc136bb

SHA1
413555922e509636d9352b50226683888391e9ab

SHA256
8990e8abe915ec69d28f17c820d895d534a3144117b955a739eed4496922a890

SHA512
1ab23a44a0c14d839e6b49de9e5172696f15224a3a7a2f4ca576920832543ccb41b0cbb9233cf0d88ad368d444c3c50354ac425b37c9a99b698c723098b5ffd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
35e19c42e9f50da80355c92a1216d1b9

SHA1
b50b8a397003447a6aed284a01c5213fbc44d4ec

SHA256
9f387f3d0fe58eb81e81877ac9bbd18b5963c3bf1f895c444e6ad8a275c2d8ac

SHA512
fae4283d53c08e0fb54d1ce7d2cded55edef07162d170ada6e2cb2ba397b6dd45ff0803b6562c6aff2a003a96c4793e8acc2649c5a9a3e6e538e18bca41ed68b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
c040e3799a65c08fe7f34b530fcfef2b

SHA1
695b61254e30224ea6227ea65e7850299784494c

SHA256
f7436588b6a08048a37e9e439257bdca397db98cdeb31a29c1185cc684a3bd65

SHA512
b7da00cbe0886efb39d02595ea950f1fded276cd024d74e4bdae772eb955b748968872772662a189ea1ae648851a29259f3166835bb88ea04143fbbe33343cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\dfbdfeba95.exe

Filesize
1.3MB

MD5
8ba2edb1c1cbc3a5e2d493737b95023c

SHA1
d40afaf7d79ccbcacd07d717baa036dbc5735a5f

SHA256
4fc628d820ef580fd3c68018c98734b0df82863622eca1670e465a4c3b40ccd1

SHA512
6753db224c2e1e51976c70e61d3a2b8985a79d8d51675a8ac49176e6acfdece514cdc71d24ae1a0bd3017d4721eeffb81f49de76ac7317967892db7c1287b73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\7c73993919.exe

Filesize
1.1MB

MD5
08be444cfa088e1533c2764c2a237339

SHA1
7174f7433e437a68fdc4861127f314bef450c234

SHA256
2d1f3e95bd7bb1b7ffe873c25590166039b1ccf2ad5693538d212e84a30bd370

SHA512
936add4bd37685793d600feeecf6fd9ff0d3a8fd6e95167e9c3cfc8948c8cfafeec000ef87e2e6a343acaa38b5c4a52b495af43dcbce06a11854ea163cdb708b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
83c6eb289b11216a78d740ef9912c532

SHA1
1d6281b4eb9934e29710546732267bca499807da

SHA256
752302d26e3bedaf798c01917fd2eeb04f789eb58ab60fb13b64ca613237b091

SHA512
2a591fc1e632b0a8d53b8288be704d773a492551cde99581a2edf902ffbdb6946c2736778e6b3e6929d000ca2ea510caed91bed57bd6718212c2ea6d6ef556f6

Download Submit
memory/900-253-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/900-249-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-20-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-18-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-197-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-245-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-206-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-181-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-137-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-239-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-21-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-185-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-19-0x0000000000591000-0x00000000005BF000-memory.dmp

Filesize
184KB

Download
memory/940-242-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-162-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-165-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-166-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-256-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-227-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-265-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-277-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/940-210-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/1544-39-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/1544-40-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/1544-71-0x0000000000420000-0x00000000008EE000-memory.dmp

Filesize
4.8MB

Download
memory/2744-186-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-145-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-278-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-266-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-257-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-254-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-56-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-57-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-204-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-243-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-183-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-207-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-240-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-237-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-211-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/2744-174-0x0000000000D00000-0x0000000001232000-memory.dmp

Filesize
5.2MB

Download
memory/3508-251-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/3508-247-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/3632-203-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/3632-201-0x0000000000590000-0x0000000000A40000-memory.dmp

Filesize
4.7MB

Download
memory/3700-3-0x00000000002E0000-0x0000000000790000-memory.dmp

Filesize
4.7MB

Download
memory/3700-1-0x0000000077496000-0x0000000077498000-memory.dmp

Filesize
8KB

Download
memory/3700-2-0x00000000002E1000-0x000000000030F000-memory.dmp

Filesize
184KB

Download
memory/3700-5-0x00000000002E0000-0x0000000000790000-memory.dmp

Filesize
4.7MB

Download
memory/3700-0-0x00000000002E0000-0x0000000000790000-memory.dmp

Filesize
4.7MB

Download
memory/3700-15-0x00000000002E0000-0x0000000000790000-memory.dmp

Filesize
4.7MB

Download
memory/4848-202-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4848-199-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-244-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-72-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-146-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-238-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-212-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-255-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-205-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-182-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-258-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-175-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-184-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-267-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-241-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-209-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-196-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-279-0x0000000000C30000-0x00000000010FE000-memory.dmp

Filesize
4.8MB

Download