amadey | 22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
18/06/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
Size

1.8MB
MD5

202a86af444f02afe35478c115432a71
SHA1

376574c41c33218aaaa9d916034f22fc8094fdbb
SHA256

22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c
SHA512

67950deaa801af5e98d1e10deceaa62b0348950cd50222a054787bf021505029eadd776db77fb8aa897fbd686a6c58a3701618c3254913f92660790c8e4c1c87
SSDEEP

49152:76VbPJHF9xeF7+FQ96Lo9vGSHnGdLnrbQcGjo:7OhvxDW968s+cLrbQ1

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b925f64513.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b925f64513.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b925f64513.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 11 IoCs

pid	Process
484	explortu.exe
4872	b925f64513.exe
1944	4b6c24b74d.exe
2672	axplong.exe
4636	db28df8430.exe
232	axplong.exe
244	explortu.exe
2432	axplong.exe
5064	explortu.exe
4584	axplong.exe
3304	explortu.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	b925f64513.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b6c24b74d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\4b6c24b74d.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aac5-77.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
484	explortu.exe
4872	b925f64513.exe
2672	axplong.exe
1944	4b6c24b74d.exe
232	axplong.exe
244	explortu.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
2432	axplong.exe
5064	explortu.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
1944	4b6c24b74d.exe
4584	axplong.exe
3304	explortu.exe
1944	4b6c24b74d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
File created	C:\Windows\Tasks\axplong.job	b925f64513.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632246571868945"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-423582142-4191893794-1888535462-1000\{E733EDAA-DE6A-4931-84FA-9FB355A50349}	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
484	explortu.exe
484	explortu.exe
4872	b925f64513.exe
4872	b925f64513.exe
2672	axplong.exe
2672	axplong.exe
4912	chrome.exe
4912	chrome.exe
232	axplong.exe
232	axplong.exe
244	explortu.exe
244	explortu.exe
2432	axplong.exe
2432	axplong.exe
5064	explortu.exe
5064	explortu.exe
4812	chrome.exe
4812	chrome.exe
4584	axplong.exe
4584	axplong.exe
3304	explortu.exe
3304	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
4872	b925f64513.exe
4636	db28df8430.exe
4636	db28df8430.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4636	db28df8430.exe
4912	chrome.exe
4636	db28df8430.exe
4636	db28df8430.exe
4912	chrome.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4636	db28df8430.exe
4636	db28df8430.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe
4636	db28df8430.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1944	4b6c24b74d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 484	4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe	81
PID 4816 wrote to memory of 484	4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe	81
PID 4816 wrote to memory of 484	4816	22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe	81
PID 484 wrote to memory of 756	484	explortu.exe	82
PID 484 wrote to memory of 756	484	explortu.exe	82
PID 484 wrote to memory of 756	484	explortu.exe	82
PID 484 wrote to memory of 4872	484	explortu.exe	83
PID 484 wrote to memory of 4872	484	explortu.exe	83
PID 484 wrote to memory of 4872	484	explortu.exe	83
PID 484 wrote to memory of 1944	484	explortu.exe	84
PID 484 wrote to memory of 1944	484	explortu.exe	84
PID 484 wrote to memory of 1944	484	explortu.exe	84
PID 4872 wrote to memory of 2672	4872	b925f64513.exe	85
PID 4872 wrote to memory of 2672	4872	b925f64513.exe	85
PID 4872 wrote to memory of 2672	4872	b925f64513.exe	85
PID 484 wrote to memory of 4636	484	explortu.exe	86
PID 484 wrote to memory of 4636	484	explortu.exe	86
PID 484 wrote to memory of 4636	484	explortu.exe	86
PID 4636 wrote to memory of 4912	4636	db28df8430.exe	87
PID 4636 wrote to memory of 4912	4636	db28df8430.exe	87
PID 4912 wrote to memory of 4216	4912	chrome.exe	90
PID 4912 wrote to memory of 4216	4912	chrome.exe	90
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 4576	4912	chrome.exe	91
PID 4912 wrote to memory of 2936	4912	chrome.exe	92
PID 4912 wrote to memory of 2936	4912	chrome.exe	92
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93
PID 4912 wrote to memory of 1568	4912	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe
"C:\Users\Admin\AppData\Local\Temp\22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:756
- - C:\Users\Admin\1000015002\b925f64513.exe
    "C:\Users\Admin\1000015002\b925f64513.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2672
- - C:\Users\Admin\AppData\Local\Temp\1000016001\4b6c24b74d.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\4b6c24b74d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1000017001\db28df8430.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\db28df8430.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff970b3ab58,0x7ff970b3ab68,0x7ff970b3ab78
        5⤵
        
        PID:4216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:2
        5⤵
        
        PID:4576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:2936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:1568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:1
        5⤵
        
        PID:3124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:1
        5⤵
        
        PID:4692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:1
        5⤵
        
        PID:3052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4376 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:1
        5⤵
        
        PID:3456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4564 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:3240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:1880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:4740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:8
        5⤵
        
        PID:1304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1844,i,6274760712928267819,13797621605590563704,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\b925f64513.exe

Filesize
1.8MB

MD5
a87c3bb0bbfcb7ce62a9d87b9bd40c5f

SHA1
b9596a627958fa0d4cc1725739289b591f962fc8

SHA256
84f34350270105a5565e9c8d108fdbe3bffffd7f266375b6b9cf1bd20f64cbd6

SHA512
cdf2fbcaed2a3d12b39f7e38c085617b907cd0ba39e5960c620abeb399661f1e8ae8fc8f55e377a599868a1b928924318aaee92211104071e9c5db5c3666ecd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
62c27bb8d11ad2c0bd09aca72c2f8a9a

SHA1
83e7db093494ea1514b47139e7a016fce4d90e1a

SHA256
ae94b565f7a049140210bcda67edc0e88586b3b9c8b771ad6a5a5d3618b2b485

SHA512
78cce658e9c73112132f59bc560a001e348149be3e97be933c9bc1f1620d060f9ea46ba0c8a393500ab5153e1d66e63345733c1a399c8b0f7f5eb9dd4b723d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5b1135a0bc227e256ce1ee63fbe3ee42

SHA1
e9816bc0b66bc13221694fd7b67a81d62c7be290

SHA256
7329ab578091e6104068101603b543223a24dcc2f6b93eb835ea88a95541520a

SHA512
9dcd84c9896749fc71f59f909e5288625590ba8bd8853037d88c8b75e8a4b24c879fd0501bb2582778ff5c7a422af58b06b655157d7f7fde600589786250e12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ff7a47e48fb6f6b3163d61177adbeb42

SHA1
0a34ecb3031f40b112f62626699bbbfd5163178a

SHA256
168a0ce552b20e53d727f77a2f2e4e348bafc58139e85fe20d592d7decc16152

SHA512
666e711d189b9b7d113e7e1a7120a5275a71c34a766d415c55c1924db3dc3414e1a94f3dd53a86245f68fbf6074d998dd2e82e19957926f55f74ac93ea4e44b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
6e347d9d169cfe3114bf94f3c35e679a

SHA1
b3daf1a9a484a23a56d3f0308423cd410397c6eb

SHA256
d1fea7cfc8303d8467f2fc57552ab0084785109d476c7516d81f0d93075159d4

SHA512
1ef2e75fa287c2b7bf5b1f278a90baf934d1efa9c106025afb174d14d10c5f414d8c3a2f6cac9ee82423fdce948d23f13d4f7f7c29c5788c3ec608ad2181434e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
984de70374adce8d88e886906590b3c5

SHA1
344dddd3b14312d1ab6728a01b51ab997654c5fb

SHA256
437fbe90e0d40726ee13f860c7513a6a8dfe9e43445030d0cc174b2680c433fe

SHA512
b48f6af64fa3d0f1f16014ac14caded93e3bf56b7c2db553a1bce0dda47d6e890fcf9763a1495f17f68c66b44d79a4139479f5fec645a489bd5d0e56a6d83383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
21b03a0ea26f86ca1ed86f8ed08cc634

SHA1
dc4c8822ea57b0d8c4eee4212f0f0d4850ace64f

SHA256
dc9bd2df2539c268df513a92d34465bd917ac4ddae79f3590174b3651f461ebb

SHA512
8bbd49b1d32f4574c6fe2f97e0e24c170e0e0edbc28205a2b59db0bd423daaebace89a6762b07668c408332027ace63b3dc13aa3d2fd59dc6bff11037d3b9f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0b642285c7e06ac50ed5f588ea9a2767

SHA1
ff9b0d136dd29560eddf32837d97fad35e1f474b

SHA256
4f46a9f2bf7271663f915471b14723479561711da38c6fe1908be28b4964ddfb

SHA512
28c5ac7b37555970a836bad2ba0046d7aff58a78d3f5a02293fa1e1be438c8f21a999e8905aef15498af9561b9d5050b286ee1a71c7fbce018656024bd556e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
e15041328fb0e8b50d75adeca019c11e

SHA1
e38f34ef00c36939fb16ce201dc288fd76b7840b

SHA256
671aadd5393b7b0199d9e2032526d9458c3a3cd5549b803e9eff7ff91bba6fb4

SHA512
5a7b11afa282f713dfa04eebe6321178fd4dd3ba3848cd9e01323770144879ff894fda22d669f76c2dcd44648d83c07c8d12ebca3661944f787020f19b885496

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\4b6c24b74d.exe

Filesize
1.3MB

MD5
114e04f986ba9bb0d390602a1219410e

SHA1
e7e7c66aadd5af75e42716c495be00b750367ab7

SHA256
2bbb7871ae0e212d58a65047c82863bba7ad43f7da4ba147a23f3fa7fa216851

SHA512
470685806f329bda6e8ed9642c8e06d9cceacee94670dbdab6a898d55b1be3a65f11ee26f721dd5ede7cbca311303cbc8735ee4f385bb642d7022f23fa229342

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\db28df8430.exe

Filesize
1.1MB

MD5
60aa687d7d234ab19125f15ccbbe92df

SHA1
54c54c8f3d14e0feb4740de2e6d7d6994bc47367

SHA256
ec5e15a1b3c6aed7349664beec326927205131bc55bc4181318fafe088b1e652

SHA512
8c2d19d43fb047b3a0574efff9affa3e594ec35cb7e73a8f55d93fea22c6ec2bb4070054b3a7b88ef8aadf71f671be7b6a5345d57c01c8fccd1088a22ec8d739

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
202a86af444f02afe35478c115432a71

SHA1
376574c41c33218aaaa9d916034f22fc8094fdbb

SHA256
22771da87dd994bde5d377d48a9f7524d9170908fe7e41f80ae91317212d864c

SHA512
67950deaa801af5e98d1e10deceaa62b0348950cd50222a054787bf021505029eadd776db77fb8aa897fbd686a6c58a3701618c3254913f92660790c8e4c1c87

Download Submit
memory/232-153-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/232-148-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/244-165-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/244-151-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-265-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-21-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-283-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-137-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-208-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-150-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-212-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-257-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-236-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-248-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-20-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-254-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-19-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/484-205-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-174-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-18-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-251-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-193-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/484-190-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/1944-194-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-255-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-191-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-284-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-184-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-182-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-267-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-258-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-206-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-57-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-147-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-209-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-252-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-249-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-246-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/1944-213-0x0000000000860000-0x0000000000D92000-memory.dmp

Filesize
5.2MB

Download
memory/2432-216-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2432-233-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-210-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-256-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-285-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-192-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-268-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-214-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-247-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-195-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-72-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-250-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-259-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-183-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-253-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-171-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/2672-207-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/3304-271-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/3304-282-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/4584-272-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/4584-269-0x0000000000420000-0x00000000008E5000-memory.dmp

Filesize
4.8MB

Download
memory/4816-17-0x0000000000C00000-0x00000000010A8000-memory.dmp

Filesize
4.7MB

Download
memory/4816-2-0x0000000000C01000-0x0000000000C2F000-memory.dmp

Filesize
184KB

Download
memory/4816-5-0x0000000000C00000-0x00000000010A8000-memory.dmp

Filesize
4.7MB

Download
memory/4816-1-0x0000000076FB6000-0x0000000076FB8000-memory.dmp

Filesize
8KB

Download
memory/4816-3-0x0000000000C00000-0x00000000010A8000-memory.dmp

Filesize
4.7MB

Download
memory/4816-0-0x0000000000C00000-0x00000000010A8000-memory.dmp

Filesize
4.7MB

Download
memory/4872-39-0x00000000006C0000-0x0000000000B85000-memory.dmp

Filesize
4.8MB

Download
memory/4872-40-0x00000000006C0000-0x0000000000B85000-memory.dmp

Filesize
4.8MB

Download
memory/4872-71-0x00000000006C0000-0x0000000000B85000-memory.dmp

Filesize
4.8MB

Download
memory/5064-218-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download
memory/5064-235-0x0000000000700000-0x0000000000BA8000-memory.dmp

Filesize
4.7MB

Download