amadey | 0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19/06/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
Size

1.8MB
MD5

cc55ebdf25425a6a8e1e7ff87e4abb9a
SHA1

7f8496fdb32293620c78d26a1e0b51f60dce9f18
SHA256

0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804
SHA512

8e5dcc062b5b6234d4506f91a8afa8241b28b15d1e6ba2d3397f706feac511b6c3ada3c76f181acfb527b20031e2670b28ea108ab2ea08995b6d52ed925ce374
SSDEEP

49152:oWpQ+LtcyZ1zOQ18mEq1o1vmsyNSHbTGmp3fxhpeVu:oWhLSyrzONKMpyNOftxLeVu

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cbcc031da3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	381ac8e4d8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	381ac8e4d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cbcc031da3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	381ac8e4d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cbcc031da3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
3240	explortu.exe
4824	381ac8e4d8.exe
3836	axplong.exe
3540	cbcc031da3.exe
1108	5145eb574d.exe
2360	explortu.exe
836	axplong.exe
1624	explortu.exe
2508	axplong.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	cbcc031da3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	381ac8e4d8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbcc031da3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\cbcc031da3.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000025c95-79.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
3240	explortu.exe
4824	381ac8e4d8.exe
3836	axplong.exe
3540	cbcc031da3.exe
2360	explortu.exe
836	axplong.exe
1624	explortu.exe
2508	axplong.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
File created	C:\Windows\Tasks\axplong.job	381ac8e4d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633146835508511"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{4D9B160B-DED4-45B1-B937-FCE9F4C4D68C}	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
3240	explortu.exe
3240	explortu.exe
4824	381ac8e4d8.exe
4824	381ac8e4d8.exe
3836	axplong.exe
3836	axplong.exe
3540	cbcc031da3.exe
3540	cbcc031da3.exe
3804	chrome.exe
3804	chrome.exe
2360	explortu.exe
2360	explortu.exe
836	axplong.exe
836	axplong.exe
1624	explortu.exe
1624	explortu.exe
2508	axplong.exe
2508	axplong.exe
4348	chrome.exe
4348	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe
Token: SeShutdownPrivilege	3804	chrome.exe
Token: SeCreatePagefilePrivilege	3804	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
3804	chrome.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe
1108	5145eb574d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3240	1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe	77
PID 1844 wrote to memory of 3240	1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe	77
PID 1844 wrote to memory of 3240	1844	0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe	77
PID 3240 wrote to memory of 900	3240	explortu.exe	78
PID 3240 wrote to memory of 900	3240	explortu.exe	78
PID 3240 wrote to memory of 900	3240	explortu.exe	78
PID 3240 wrote to memory of 4824	3240	explortu.exe	79
PID 3240 wrote to memory of 4824	3240	explortu.exe	79
PID 3240 wrote to memory of 4824	3240	explortu.exe	79
PID 4824 wrote to memory of 3836	4824	381ac8e4d8.exe	80
PID 4824 wrote to memory of 3836	4824	381ac8e4d8.exe	80
PID 4824 wrote to memory of 3836	4824	381ac8e4d8.exe	80
PID 3240 wrote to memory of 3540	3240	explortu.exe	81
PID 3240 wrote to memory of 3540	3240	explortu.exe	81
PID 3240 wrote to memory of 3540	3240	explortu.exe	81
PID 3240 wrote to memory of 1108	3240	explortu.exe	82
PID 3240 wrote to memory of 1108	3240	explortu.exe	82
PID 3240 wrote to memory of 1108	3240	explortu.exe	82
PID 1108 wrote to memory of 3804	1108	5145eb574d.exe	83
PID 1108 wrote to memory of 3804	1108	5145eb574d.exe	83
PID 3804 wrote to memory of 1092	3804	chrome.exe	86
PID 3804 wrote to memory of 1092	3804	chrome.exe	86
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 4068	3804	chrome.exe	87
PID 3804 wrote to memory of 1316	3804	chrome.exe	88
PID 3804 wrote to memory of 1316	3804	chrome.exe	88
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89
PID 3804 wrote to memory of 1936	3804	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe
"C:\Users\Admin\AppData\Local\Temp\0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:900
- - C:\Users\Admin\1000015002\381ac8e4d8.exe
    "C:\Users\Admin\1000015002\381ac8e4d8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3836
- - C:\Users\Admin\AppData\Local\Temp\1000016001\cbcc031da3.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\cbcc031da3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\1000017001\5145eb574d.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\5145eb574d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9a607ab58,0x7ff9a607ab68,0x7ff9a607ab78
        5⤵
        
        PID:1092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:2
        5⤵
        
        PID:4068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:1316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:1936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:1
        5⤵
        
        PID:4896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:1
        5⤵
        
        PID:5028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4144 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:1
        5⤵
        
        PID:3360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4276 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:1
        5⤵
        
        PID:3532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2972 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:3232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:3428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:4408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:4344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:8
        5⤵
        
        PID:4636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1924,i,13600459306920256647,8289851144348953564,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\381ac8e4d8.exe

Filesize
1.8MB

MD5
2c21d63a0fabdfd759ba55419486bf4e

SHA1
765813aa09e034321b5e23ed0d5fe8792b3e25dd

SHA256
9e3980ad5a10187871b2f8c17a58d827c92fd7b89ff470f6257618d46045a66e

SHA512
1ce41b0b2ddaeedbecd0c4a0cc1da5a480683ade064dcba1fb3afe45f9daa3b962e17c90ce40322a9e14c63234e148c3a5db2d416eb7bd56fbffbea5191f9286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
80df9d91dae67017f2c6740272bf2251

SHA1
49bfae12b602294b5d8182c4df4569b661bf580c

SHA256
a8d1fedc2620607cafae6afc414d38ffe16b0c80f222b2e7cedc8e6e0771bead

SHA512
c8814ba400a897fc00a04d5e043f13e90e07c38d9df54f6977c90e70ca2336a34d0a240de6367960a1f7d3d99cda4b0cdcbc74dbd0fe089e7cc20c116b1a8bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
809203c39ea2e8781189a38d2d407eb1

SHA1
6006019e0d65b480e2aac59a8dea16b3fd7c0ce3

SHA256
45932aeeb20cc0eed5bb004e3623d28eb4ad0694737f2220c9280b909fff95ce

SHA512
a4f504b080f94d10908e71e1a827f0b6c2ef190111931893a4d2a8f8a46f0d973f0e0a7d13191c89ffceead74d0b2f833a2afde9010ae63c46ee8647718573b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9d4ab164fa26785adb38ef8a8b1ba27c

SHA1
a7c2cbbc79498708e7b653d575552236a2d034a8

SHA256
521a2f0feba30760132c9fb7e982a80ee7d9aadf90c9c8f5aff0d6bd186389de

SHA512
ba1bacb162d003abe42b1fd2b1ed5b2b3e41c78bd06f207ed20fa4da5b38fe8f029896da275c818b7fac02e96f3378c31fe52a312049325278092dd601c1e165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
c1969ecb6826f0f357d6554d7d2a6165

SHA1
95c7e7f66b010ecec7600b7c065178ea476b5790

SHA256
3fd4dfa379e6cfe093e24ba4a515563070e5ccd0f7f06eb16d32f4002a1ee98e

SHA512
b4edc24eca2f5e76dfec97119ed462100bddc2e5dafc2e61f79bef611409fe9b98966c3703288fc880c59eb6ee10a84736b6ae6f76949754bbc838f51e6231e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
be46ed98755ffbba6d63377c0eb14ff9

SHA1
e19dcbc4d96c413796b494af3d089c0c2f4df6ea

SHA256
6a772330f97c47b3884a5671f3950036af8a4cb78377faff053f2061049663be

SHA512
2a3f1ca2601c510ac70723673ab5f5e5786af4459746ca0d6d636c312b50a20247bf0a50ca85cf3c4ed540314c9dc771a520c6f751a480e1e68bfcf603b54cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d86a9b8718631bb809c29b7d5965e4bf

SHA1
fbc3cd53814fd38234e8c45f8ed99c88005f6afd

SHA256
91e013f60f4a9cb294a314681d5c982820775ace1489af9750cf4fb8ed42158f

SHA512
dcc2c84db7d2f762bf610127d9265c17a7edb012bdd9d74937e58d3e2ade949b807c69131ac6bd8293364e1f64f4db0e387946abc859a931ee5a088a60c2c170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
00fdf102ca521ca2c3524a9f21393c13

SHA1
e66974fcffbe223d91210d66beb6f843dbb833f3

SHA256
d3adb0d5f98950dc8149c18d761eabe50b3f347feb30bf3a9b3b21f9a6fd919d

SHA512
1450fcad105eb1bf480d2ef489b117fea85b84f3210fab7b815fab4daebca9ef8c69fdb3104173c04ce8360b09de8001aeeab9ecb8480f747da51eed773224e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9222329b44da0d9f7cb927e0006343eb

SHA1
b99890d028e2231d3558fca1bdfc9d349c0e47a0

SHA256
1380319fdcf235a763f15049b2788f9e1d43de3ffdaad299b6146f10d9140144

SHA512
287721849c114157cef1842f2e49058a7bd44b83fafafbbd167ca913d6e06ec1cfe144b278d45fd4f756da31325ac545dfef22080c0985560cbc44663f4c25c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
01ff83f1cb48f44bc347a3717b359b6e

SHA1
8e4b33da276bad53ad5e04d16130fbf30b6b7151

SHA256
727cd21a6e39082f832afa0d0606be31fab79d4d59b298b3053293b923096358

SHA512
eee8176c12b85c159f274794391e5a329ca81b217ffb18dfd208158897a965e1925ee95cb297b89c8248664464406eb7d0f83c4db4a8382417492fd061a55a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\cbcc031da3.exe

Filesize
2.3MB

MD5
4773f6a555b064cba29e59daed463525

SHA1
589aad2fd82e6b3861fa59a2f7acb46854f9b800

SHA256
02405eca39845fb265bef881a6f7b0075356c394a741e16f042b3badd42eeb57

SHA512
569ef6c9a1479fe2f1d5e77301ab6f0de03cbaad9893fd984f2ff355346c85dea6c27c4454b5d7f99fe144c9f22ac49dde56e25c8af80b3bc2c9f7597e9c1c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\5145eb574d.exe

Filesize
1.1MB

MD5
7ded7e8c380fd6355971f87eb46ba647

SHA1
1ad1c4c9fb7a0bfb3e28a5dbb01f1fe6067f8d8a

SHA256
cbbff987cf91f2efa7aa84d4713ab43eb1272ad971adfd7831453cb66326c047

SHA512
1bd9928d3fccb80e700d4aed78440d0f7a00ab8a5694b87bc7a82e8ddee99519d2de53afbf2a498faa18a8eee84109e8e6ade9e04f79b3eefdf14d34b323e6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
cc55ebdf25425a6a8e1e7ff87e4abb9a

SHA1
7f8496fdb32293620c78d26a1e0b51f60dce9f18

SHA256
0e07bc965ee6bda04b59339a181b4cb559552053ef828982562e4ecf97366804

SHA512
8e5dcc062b5b6234d4506f91a8afa8241b28b15d1e6ba2d3397f706feac511b6c3ada3c76f181acfb527b20031e2670b28ea108ab2ea08995b6d52ed925ce374

Download Submit
memory/836-207-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/836-204-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/1624-251-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/1624-254-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/1844-16-0x00000000008E0000-0x0000000000DA3000-memory.dmp

Filesize
4.8MB

Download
memory/1844-0-0x00000000008E0000-0x0000000000DA3000-memory.dmp

Filesize
4.8MB

Download
memory/1844-5-0x00000000008E0000-0x0000000000DA3000-memory.dmp

Filesize
4.8MB

Download
memory/1844-3-0x00000000008E0000-0x0000000000DA3000-memory.dmp

Filesize
4.8MB

Download
memory/1844-2-0x00000000008E1000-0x000000000090F000-memory.dmp

Filesize
184KB

Download
memory/1844-1-0x0000000077A06000-0x0000000077A08000-memory.dmp

Filesize
8KB

Download
memory/2360-205-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/2360-202-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/2508-255-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/2508-253-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3240-243-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-258-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-214-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-166-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-145-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-179-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-116-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-249-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-246-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-150-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-167-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-266-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-188-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-287-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-201-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-21-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-20-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-19-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-231-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-17-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3240-210-0x00000000006F0000-0x0000000000BB3000-memory.dmp

Filesize
4.8MB

Download
memory/3540-190-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-257-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-268-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-260-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-216-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-209-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-73-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-212-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-149-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-242-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-187-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-178-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-245-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-185-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3540-248-0x00000000005B0000-0x0000000000BAD000-memory.dmp

Filesize
6.0MB

Download
memory/3836-247-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-186-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-244-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-177-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-241-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-148-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-256-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-189-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-208-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-259-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-215-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-54-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-267-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/3836-211-0x00000000004D0000-0x000000000098F000-memory.dmp

Filesize
4.7MB

Download
memory/4824-53-0x0000000000390000-0x000000000084F000-memory.dmp

Filesize
4.7MB

Download
memory/4824-40-0x0000000000390000-0x000000000084F000-memory.dmp

Filesize
4.7MB

Download
memory/4824-39-0x0000000000390000-0x000000000084F000-memory.dmp

Filesize
4.7MB

Download