amadey | ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c

Resubmissions

18-06-2024 20:14

240618-yz2ylawaqc 10

18-06-2024 20:09

240618-yw7dxawalc 10

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
18-06-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
Size

1.8MB
MD5

d933a1e34002d784b05aaf813e96bbca
SHA1

e22779e5665482f4f35fd5ab87d6075d9932b158
SHA256

ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c
SHA512

e7d2416680085f7cca918e353703d3c7087de72d17ce141db2c4eb77e1e727f195e913d4d7945908b698284bababde3a8a31367149e7f278254959e763bd4948
SSDEEP

49152:kiBbKIGjDt/gWtQ3MLeJZdbvmhS0gRAT18:j2IGdRCpbvmhS0g018

Score

10^/10

amadey 0e6740 e76b71 evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3a4abe3e4a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3a4abe3e4a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3a4abe3e4a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe

Executes dropped EXE 9 IoCs

pid	Process
2476	explortu.exe
4652	3a4abe3e4a.exe
380	2dabd6f1ed.exe
1656	axplong.exe
1548	60eb105a74.exe
3236	axplong.exe
1684	explortu.exe
2576	axplong.exe
2660	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	3a4abe3e4a.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\2dabd6f1ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\2dabd6f1ed.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa96-76.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
2476	explortu.exe
4652	3a4abe3e4a.exe
380	2dabd6f1ed.exe
1656	axplong.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
3236	axplong.exe
1684	explortu.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
2576	axplong.exe
2660	explortu.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe
380	2dabd6f1ed.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
File created	C:\Windows\Tasks\axplong.job	3a4abe3e4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632149711798910"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{4880F7E8-340E-41A4-A4EC-C06E62E606AB}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
2476	explortu.exe
2476	explortu.exe
4652	3a4abe3e4a.exe
4652	3a4abe3e4a.exe
1656	axplong.exe
1656	axplong.exe
3172	chrome.exe
3172	chrome.exe
3236	axplong.exe
3236	axplong.exe
1684	explortu.exe
1684	explortu.exe
2576	axplong.exe
2576	axplong.exe
2660	explortu.exe
2660	explortu.exe
1720	chrome.exe
1720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe
Token: SeShutdownPrivilege	3172	chrome.exe
Token: SeCreatePagefilePrivilege	3172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
3172	chrome.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1548	60eb105a74.exe
1548	60eb105a74.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
3172	chrome.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe
1548	60eb105a74.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
380	2dabd6f1ed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2476	1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe	79
PID 1916 wrote to memory of 2476	1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe	79
PID 1916 wrote to memory of 2476	1916	ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe	79
PID 2476 wrote to memory of 4808	2476	explortu.exe	80
PID 2476 wrote to memory of 4808	2476	explortu.exe	80
PID 2476 wrote to memory of 4808	2476	explortu.exe	80
PID 2476 wrote to memory of 4652	2476	explortu.exe	81
PID 2476 wrote to memory of 4652	2476	explortu.exe	81
PID 2476 wrote to memory of 4652	2476	explortu.exe	81
PID 2476 wrote to memory of 380	2476	explortu.exe	82
PID 2476 wrote to memory of 380	2476	explortu.exe	82
PID 2476 wrote to memory of 380	2476	explortu.exe	82
PID 4652 wrote to memory of 1656	4652	3a4abe3e4a.exe	83
PID 4652 wrote to memory of 1656	4652	3a4abe3e4a.exe	83
PID 4652 wrote to memory of 1656	4652	3a4abe3e4a.exe	83
PID 2476 wrote to memory of 1548	2476	explortu.exe	84
PID 2476 wrote to memory of 1548	2476	explortu.exe	84
PID 2476 wrote to memory of 1548	2476	explortu.exe	84
PID 1548 wrote to memory of 3172	1548	60eb105a74.exe	85
PID 1548 wrote to memory of 3172	1548	60eb105a74.exe	85
PID 3172 wrote to memory of 2008	3172	chrome.exe	88
PID 3172 wrote to memory of 2008	3172	chrome.exe	88
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 2036	3172	chrome.exe	89
PID 3172 wrote to memory of 1500	3172	chrome.exe	90
PID 3172 wrote to memory of 1500	3172	chrome.exe	90
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91
PID 3172 wrote to memory of 3620	3172	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe
"C:\Users\Admin\AppData\Local\Temp\ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4808
- - C:\Users\Admin\1000015002\3a4abe3e4a.exe
    "C:\Users\Admin\1000015002\3a4abe3e4a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\1000016001\2dabd6f1ed.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\2dabd6f1ed.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\1000017001\60eb105a74.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\60eb105a74.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc6e2ab58,0x7fffc6e2ab68,0x7fffc6e2ab78
        5⤵
        
        PID:2008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:2
        5⤵
        
        PID:2036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:1500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:3620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:1
        5⤵
        
        PID:2832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:1
        5⤵
        
        PID:560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:1
        5⤵
        
        PID:3808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4008 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:1
        5⤵
        
        PID:2136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4064 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:3636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:4136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:8
        5⤵
        
        PID:5056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1808,i,9382435471125462484,13535241978898708694,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\3a4abe3e4a.exe

Filesize
1.8MB

MD5
859a4c80a29343a0a6a207da2131d1de

SHA1
390036f9fbc2d6b4364fa65f7300feb3d688ae1e

SHA256
cd542de7a294a308e588e394dd615360bea873bc4d0f45f2a4f2c33eb97ff51b

SHA512
e704312b3aa18592ba69115709492946cfd388a2d48d980d24e8f3118394b943cdf119dffec6a5d72d5c9cf47009e292067bf1a888af80aff988388bd9e393fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
7ab00437fba6e97102f1439a1d82237d

SHA1
1379904bf082ff8161128030db1929f750638e2d

SHA256
da130c9693fca2bba0bbb54345da3bd3803386d53a22bb4f850c53a6210a62ea

SHA512
b3ab37ebec4bc3148a485680bbaacc411533f0c44c7baa6752e326469d4f226f3e0cb6f4fb910710c659cc6711e55bc05e08e24e67b5a77aabf471c8af282cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eae2cefefb1fed5e6e4a84ce8d217e3f

SHA1
f242f18bfe262eb1f15242dfbb98e9d65f9c0b52

SHA256
cbeb997f30c490effc2e822d11f21a77f68d00d12b75b1861f0e0f8f62bce644

SHA512
2ea0aacf4e31139e7b64edbbaee9190e7ce3bc23e20600578c0632b2b4c2d4ed952bb3ce1876545ae6bd4b31e95fd2593e09fe2780c1c95125eabea26e64c4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4e51c2abf53f4ddad745347efff98196

SHA1
6a08ef310f85c834de9ca9a005033131755f3795

SHA256
3f6db2f649fcd63edd171c4504a5de8c9caf80000c920e5a164cd53e0a76cb71

SHA512
70062dccd1396937632aac1a118ca2f94c158069aa53173b5a5c6c5355ed8add181244f2d2c0b89a6366f7782e20fe5b1b3282bfbafd47cdb5130db8b70afe13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
3941978ece77b93e60fd9c978c6c1ff7

SHA1
93fc259410a0c4fa1894c3cab86aa2d3a53c14c8

SHA256
1daa5dbb8ffc8456af0a06f621dcb8b18fa19f85793638246ad65abdb91490c3

SHA512
09b455ea058887f6c983f76c2cbf80f3637d13f9e54078bd651e3cdec2c31a89ace32e86bd323dc104cf97d8be58a120dc2599068ec4a1eda00e433950e4ea88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
5ab0da970b2162d2ca968bcb28c35dd8

SHA1
85fbd4637c80eb14aba8480a2b11a6247aebad20

SHA256
a72372388d4bee8238c7eaf7b0238ec670ce14cf2ace5a26f114bd0fb29449c2

SHA512
398f84246997a4de5879e3dde1505a786b741021cf0a108179cffe30b94ea1de8876539b967217c8193b2a04939865af5c4463f6860a515c72268ea13b496b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
edd8d25480140c85cff5ed9a7cae66f3

SHA1
3fcb15c17d60e5d0da322350272f5a456db3f36a

SHA256
b1f55a63133791c3fc8b0234b0212056dbd047a05266be13c8589b3c069657d4

SHA512
0bbcd755df8f534ca3bca2ed57c644c219afb59dec6f0c21ba6a62d2ccab54cef03edf8a6635ede8804c14419f9aff15cf4e0680688b673b96188bd6e37bb430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
32054c8d0dc38fa691eb0d5eac73412d

SHA1
1b6e560c3cf3476d2551214b9c1e2f7fd7247eb9

SHA256
2c2ea8e6bff937e6a8d3a5852407ae47394e12b36aad261b983835d060372728

SHA512
42769d3eb013c27d18ad38603e8e3efd02475bbbcb7a90aa6229b4fad5ec16dc2b60154ad02bfbd54870892cf93aee84e9f313910339550da39f6323251321c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
0aba98be411f4e44f57a0f17a598861c

SHA1
254afc1f3533cf51de11ed30a67b80d3b1ac145f

SHA256
50e103296cb3b828482065ad0575175c264054e8a8ae4967fa7e876a5e87f3eb

SHA512
e95bff09d692c42a70df6d5ed6e94cd305d1489fdc3e7f2a59ff6f0ab9a5e7ec72814590dc4600ca62fae29762c96ba25b518020895920e489a9e589c7e67373

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\2dabd6f1ed.exe

Filesize
1.3MB

MD5
7e70f9c8759bd8f82a3d93c9773b433b

SHA1
d24cb0068364b83774e773e344ba7e3407a41016

SHA256
2dc4d19942c40513808bef745d0fa41f4abb8b3a05b12e86e60fd3232531adde

SHA512
8c6b31bc5ddd741db5726f7fad6517c45df0cc089aaecd86e5270823c371dbecd78e4af9a272f75810b12ee6b9fcb0b97f3922278c6893a93bb790b688010083

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\60eb105a74.exe

Filesize
1.1MB

MD5
95bfbbd34a0f1a6c668f4336be9c1482

SHA1
d997ae47072ee45f35d1c30bfc25e8ede9984ce1

SHA256
95625cb70a539b1d5e94f4e554de06f44c8ff580c6606fa3ccc14bd8feb9fe4a

SHA512
804781a2f87c4227b3c1c37acdefdbc10230fba70eda58d83dedf362e6568a3675fc02caaa86481bfd6ae2f2122b3e055c3a888e6d090ca445ea6715d6282e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d933a1e34002d784b05aaf813e96bbca

SHA1
e22779e5665482f4f35fd5ab87d6075d9932b158

SHA256
ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c

SHA512
e7d2416680085f7cca918e353703d3c7087de72d17ce141db2c4eb77e1e727f195e913d4d7945908b698284bababde3a8a31367149e7f278254959e763bd4948

Download Submit
memory/380-251-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-172-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-210-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-206-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-263-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-236-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-203-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-143-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-254-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-191-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-56-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-275-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-239-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-248-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/380-181-0x0000000001000000-0x0000000001532000-memory.dmp

Filesize
5.2MB

Download
memory/1656-276-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-240-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-173-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-211-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-249-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-180-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-70-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-182-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-252-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-264-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-255-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-207-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-204-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-144-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-192-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1656-237-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/1684-190-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/1684-187-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/1916-5-0x0000000000110000-0x00000000005B9000-memory.dmp

Filesize
4.7MB

Download
memory/1916-0-0x0000000000110000-0x00000000005B9000-memory.dmp

Filesize
4.7MB

Download
memory/1916-17-0x0000000000110000-0x00000000005B9000-memory.dmp

Filesize
4.7MB

Download
memory/1916-1-0x0000000077036000-0x0000000077038000-memory.dmp

Filesize
8KB

Download
memory/1916-3-0x0000000000110000-0x00000000005B9000-memory.dmp

Filesize
4.7MB

Download
memory/1916-2-0x0000000000111000-0x000000000013F000-memory.dmp

Filesize
184KB

Download
memory/2476-135-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-145-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-209-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-205-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-202-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-238-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-18-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-19-0x0000000000B51000-0x0000000000B7F000-memory.dmp

Filesize
184KB

Download
memory/2476-241-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-274-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-20-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-21-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-262-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-183-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-179-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-250-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-164-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-161-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-253-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2476-226-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2576-246-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/2576-243-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/2660-247-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/2660-245-0x0000000000B50000-0x0000000000FF9000-memory.dmp

Filesize
4.7MB

Download
memory/3236-185-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/3236-189-0x0000000000370000-0x0000000000832000-memory.dmp

Filesize
4.8MB

Download
memory/4652-66-0x00000000005E0000-0x0000000000AA2000-memory.dmp

Filesize
4.8MB

Download
memory/4652-39-0x00000000005E0000-0x0000000000AA2000-memory.dmp

Filesize
4.8MB

Download