amadey | 95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
18/06/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
Size

1.8MB
MD5

2142b65d7a571c540c694db70a4ff710
SHA1

d2572d9e8f558daf8bfea65c5e3bf51b042d6b71
SHA256

95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b
SHA512

49bede65d620233a5ed872fcb09b5c0b6977069f1e2223f489c5ab35c73dcf788f6160825351577d508377b4af3bccf8ac405f7c36f630a38b957361ceeeae72
SSDEEP

49152:wfudvsdVIb6ZW9VmE6WvJDt7My/Gj3oUTdXSuT2NLM:wfudvsdSdKEpFt7My/S3ogRS22RM

Score

10^/10

amadey 0e6740 e76b71 evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0bb5e5cb08.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0bb5e5cb08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0bb5e5cb08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
4160	explortu.exe
128	0bb5e5cb08.exe
1056	axplong.exe
484	22c3fd0958.exe
1028	3cd24cb963.exe
4604	axplong.exe
3772	explortu.exe
640	axplong.exe
3616	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	0bb5e5cb08.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\22c3fd0958.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\22c3fd0958.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa5c-84.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

pid	Process
2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
4160	explortu.exe
128	0bb5e5cb08.exe
1056	axplong.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
4604	axplong.exe
3772	explortu.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
640	axplong.exe
3616	explortu.exe
484	22c3fd0958.exe
484	22c3fd0958.exe
484	22c3fd0958.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
File created	C:\Windows\Tasks\axplong.job	0bb5e5cb08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632283679277264"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1560405787-796225086-678739705-1000\{07131A4E-84B1-4A40-BA3F-5B9398D6EDDD}	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
4160	explortu.exe
4160	explortu.exe
128	0bb5e5cb08.exe
128	0bb5e5cb08.exe
1056	axplong.exe
1056	axplong.exe
2532	chrome.exe
2532	chrome.exe
4604	axplong.exe
4604	axplong.exe
3772	explortu.exe
3772	explortu.exe
640	axplong.exe
640	axplong.exe
3616	explortu.exe
3616	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
128	0bb5e5cb08.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
1028	3cd24cb963.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
2532	chrome.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1028	3cd24cb963.exe
1028	3cd24cb963.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
1028	3cd24cb963.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe
1028	3cd24cb963.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
484	22c3fd0958.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4160	2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe	81
PID 2864 wrote to memory of 4160	2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe	81
PID 2864 wrote to memory of 4160	2864	95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe	81
PID 4160 wrote to memory of 1956	4160	explortu.exe	82
PID 4160 wrote to memory of 1956	4160	explortu.exe	82
PID 4160 wrote to memory of 1956	4160	explortu.exe	82
PID 4160 wrote to memory of 128	4160	explortu.exe	83
PID 4160 wrote to memory of 128	4160	explortu.exe	83
PID 4160 wrote to memory of 128	4160	explortu.exe	83
PID 128 wrote to memory of 1056	128	0bb5e5cb08.exe	84
PID 128 wrote to memory of 1056	128	0bb5e5cb08.exe	84
PID 128 wrote to memory of 1056	128	0bb5e5cb08.exe	84
PID 4160 wrote to memory of 484	4160	explortu.exe	85
PID 4160 wrote to memory of 484	4160	explortu.exe	85
PID 4160 wrote to memory of 484	4160	explortu.exe	85
PID 4160 wrote to memory of 1028	4160	explortu.exe	86
PID 4160 wrote to memory of 1028	4160	explortu.exe	86
PID 4160 wrote to memory of 1028	4160	explortu.exe	86
PID 1028 wrote to memory of 2532	1028	3cd24cb963.exe	87
PID 1028 wrote to memory of 2532	1028	3cd24cb963.exe	87
PID 2532 wrote to memory of 4800	2532	chrome.exe	90
PID 2532 wrote to memory of 4800	2532	chrome.exe	90
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3572	2532	chrome.exe	91
PID 2532 wrote to memory of 3168	2532	chrome.exe	92
PID 2532 wrote to memory of 3168	2532	chrome.exe	92
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93
PID 2532 wrote to memory of 4384	2532	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe
"C:\Users\Admin\AppData\Local\Temp\95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1956
- - C:\Users\Admin\1000015002\0bb5e5cb08.exe
    "C:\Users\Admin\1000015002\0bb5e5cb08.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:128
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1056
- - C:\Users\Admin\AppData\Local\Temp\1000016001\22c3fd0958.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\22c3fd0958.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:484
- - C:\Users\Admin\AppData\Local\Temp\1000017001\3cd24cb963.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\3cd24cb963.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ab94ab58,0x7ff8ab94ab68,0x7ff8ab94ab78
        5⤵
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:2
        5⤵
        
        PID:3572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:3168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:4384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:1
        5⤵
        
        PID:2900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:1
        5⤵
        
        PID:4956
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:1
        5⤵
        
        PID:4292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4468 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:1
        5⤵
        
        PID:4284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4476 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:2984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:4000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:3196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4092 --field-trial-handle=1832,i,7824360193189557380,1238107484260958006,131072 /prefetch:8
        5⤵
        
        PID:3384

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\0bb5e5cb08.exe

Filesize
1.9MB

MD5
706ac01d77023f641bdb31421dd1249b

SHA1
df1e65b1528974e15869d05c6d40936eb6156192

SHA256
a9f7142ec8a231ae13735d6d6a19fece19e6af7c5ad3c65220c64f7a143b4d2d

SHA512
55b8ff9e1c9fb149cd201a8dd4a5e1b6299e3b36ef23cf7973d29347056454053fef3f960570f3afed89e7b0fb3f9bf27a3cebcdd93515760590b5445b94b211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
beaa7cdd809ffebe9abce843874067f1

SHA1
0e749a2cad98c9bba1136ef6eb217bffa1c024fa

SHA256
2f500196ff6e8625c309364775960682fcfa0d9f7ca20843d61ebc6a250304cb

SHA512
78bddcb5054384271692e46b6502194dcfa297066ae235b23f60c221cf1a4ec4d220aec9cfccc0a9029fc5b4c3ff88cc47c4fcd2f897925ee11191709e6aff02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8b795277a2b4916a92a85b1bd75eb709

SHA1
91fa21c3d2fef7d9f4c4ad4775fa8416a7685ca6

SHA256
50955faeff5a77bac75fc8fa49dbc032323442f75eca962748396bb7bf3545ff

SHA512
598697ef0851867ca9e6fac7cfcf6326e1946050c3264bbe2612628b9c6763d217a670335c51ed0562e65a3a6f82b2b07d40bbb4a554f570f2c6620c260aece9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
4d3f09595b033185a124a1dcf7cbc59d

SHA1
4a06ed4d1f897b558aeb4fd1f4969f24a837f59f

SHA256
26a9ed3d7b3a460732a259ca012a0964fad017388082380503bbc444a31bfdd8

SHA512
d0f9a7a810b150dc4995206d4a6f059fe69146066b6ace47d3d1625582c507bfc8145043e0b563712b4d78a640943f58c9f986c3a9be2214a44ede5736898313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
550fee4639d0aad7577dd39d9fec9f84

SHA1
f5daee3bc48639431860892bc8d30922d0836a4d

SHA256
34102b191472c597fe8667fdaaf5466ee2b3edd2809e4d356df0ebb8a0a3f3a1

SHA512
fa2d4b70113b43edbc8755ff2ce574a3b765b5dab208066fa469a27e9fac9206e79c2005bad9dd338e8dd14f72485b97cd76212b659dfc0bebddbd8502cb4a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6129634b35f53e391d90c4f25eb20ad9

SHA1
97b9aba9f9ea3f5e800451b51708a7aaddee4f77

SHA256
bb3c7e9094fa95771375dca63909d5763831bf8a034584567fa64ba53e09db30

SHA512
32468f6f1d72efdc476e871a535b2160bbfd3a352846d863068e133b16d4eacf7abfcf6ca7c0e578359e0fb66082854af2901ddeefb18872c5d5f470243808a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ad65b28edb14ab54f6002003ae1c4cee

SHA1
f97659a886f690683b1717eb925098d1122acdd0

SHA256
1c468e8c231ff98c865f0d821672e36268efce8619498d6a84c2328364343f9a

SHA512
7992c92f73cf9d18cda6e747c05d4837c37fd4c15df230baf3236b8d91b9a628628d0177a2449d2294b4d04d62dd1e1202f6807f995afffff024064837aa0546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
d122d2207fcc809a99d4dff17e5d9502

SHA1
7b6036c830547104fa083eb4f68dfb48df6d908e

SHA256
351e1f88b0a5ef9aa8892bc7f957b2772e81f6cf6cdce27f1ddf08486d47a824

SHA512
93bcf5ea325f4b9e622e28804f40a63f1ed85eb942a64ba8708feb70899eeb668dad7b30e456c66176a03d3195abb311e5b2080b3845683ad27c783b10c7b5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\22c3fd0958.exe

Filesize
1.3MB

MD5
7974f70a652d78bfe4ccd8df84448aee

SHA1
c34e7c684c47790cce19b236b0aeb7d06136c9d8

SHA256
9b5366de3771e9e0000edad206ea77d324904731da5f8a87ac03ca2c0ee39a42

SHA512
7f079525eb24413c1f992d19cdbda38e2898b7b6838bc725512c69748c9164ffa7f93120711749282d325c5e5286f682cf463dcae6a4c7a7776e5638dd23684c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\3cd24cb963.exe

Filesize
1.1MB

MD5
172539b16d367a42b3da4cb3735892b8

SHA1
e4c4a94ca254de81322a53dce85b4d0de57996df

SHA256
4b7392ea9734dd743427cfa321102aa73f6ff5d1c15a03fbc954825f0ace6ba7

SHA512
6d5f3153f5568bbc307b0c2009f9410e70bd251bcc09efd1fcc51be7b314608b6b77acd2d49b9be6aad49ab006298ce3c0a90c1b840401793d9758a7e6a5cbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
2142b65d7a571c540c694db70a4ff710

SHA1
d2572d9e8f558daf8bfea65c5e3bf51b042d6b71

SHA256
95f2fd0295cf70990020069111d07506f03d46431fc91513ce21528f28741a6b

SHA512
49bede65d620233a5ed872fcb09b5c0b6977069f1e2223f489c5ab35c73dcf788f6160825351577d508377b4af3bccf8ac405f7c36f630a38b957361ceeeae72

Download Submit
memory/128-41-0x0000000000270000-0x0000000000747000-memory.dmp

Filesize
4.8MB

Download
memory/128-54-0x0000000000270000-0x0000000000747000-memory.dmp

Filesize
4.8MB

Download
memory/128-42-0x0000000000270000-0x0000000000747000-memory.dmp

Filesize
4.8MB

Download
memory/484-76-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-75-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-197-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-257-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-182-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-209-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-242-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-194-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-212-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-170-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-216-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-254-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-251-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/484-143-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/640-246-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/640-249-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-214-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-253-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-259-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-146-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-79-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-173-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-244-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-256-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-198-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-218-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-195-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-211-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-154-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/1056-57-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/2864-5-0x0000000000C70000-0x0000000001137000-memory.dmp

Filesize
4.8MB

Download
memory/2864-3-0x0000000000C70000-0x0000000001137000-memory.dmp

Filesize
4.8MB

Download
memory/2864-0-0x0000000000C70000-0x0000000001137000-memory.dmp

Filesize
4.8MB

Download
memory/2864-17-0x0000000000C70000-0x0000000001137000-memory.dmp

Filesize
4.8MB

Download
memory/2864-2-0x0000000000C71000-0x0000000000C9F000-memory.dmp

Filesize
184KB

Download
memory/2864-1-0x0000000077036000-0x0000000077038000-memory.dmp

Filesize
8KB

Download
memory/3616-250-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/3616-248-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/3772-188-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/3772-186-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-196-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-243-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-21-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-217-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-40-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-19-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/4160-20-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-58-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-24-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-199-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-210-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-55-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-18-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-151-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-213-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-252-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-258-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-59-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-255-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-181-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4160-78-0x0000000000700000-0x0000000000BC7000-memory.dmp

Filesize
4.8MB

Download
memory/4604-184-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download
memory/4604-187-0x0000000000980000-0x0000000000E57000-memory.dmp

Filesize
4.8MB

Download