amadey | bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
19-06-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
Size

1.8MB
MD5

cd51b7700208ea7e7c81c1a06cafd36e
SHA1

132b425331c438c2833bf190f50bfdee16bc9d32
SHA256

bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a
SHA512

99b4688b74587eb062193dcb2cf15d3fad3e48e3281b73c022957fa38a304acb50afcb50941b9a829669a6b3f364f3c13535298ad10cd37905caa0aeb207b83a
SSDEEP

49152:YPb9kkfjhealT0EVh7oMio/sOzUNGRDTLqjTldJMhc:m2kRlo+BPBEOJHq+h

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	caab4d65a2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	caab4d65a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	caab4d65a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
1108	explortu.exe
3532	caab4d65a2.exe
1892	b646aa9779.exe
4360	axplong.exe
4188	a478906f1a.exe
3016	axplong.exe
3024	explortu.exe
3636	axplong.exe
5008	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	caab4d65a2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\b646aa9779.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\b646aa9779.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aaa9-77.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
1108	explortu.exe
3532	caab4d65a2.exe
4360	axplong.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
3016	axplong.exe
3024	explortu.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
3636	axplong.exe
5008	explortu.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe
1892	b646aa9779.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
File created	C:\Windows\Tasks\axplong.job	caab4d65a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632462847280139"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{F35CFD29-8DDE-422E-93FF-FF9C0C0575BA}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
1108	explortu.exe
1108	explortu.exe
3532	caab4d65a2.exe
3532	caab4d65a2.exe
4360	axplong.exe
4360	axplong.exe
1088	chrome.exe
1088	chrome.exe
3016	axplong.exe
3016	axplong.exe
3024	explortu.exe
3024	explortu.exe
3636	axplong.exe
3636	axplong.exe
5008	explortu.exe
5008	explortu.exe
1104	chrome.exe
1104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe
Token: SeShutdownPrivilege	1088	chrome.exe
Token: SeCreatePagefilePrivilege	1088	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4188	a478906f1a.exe
4188	a478906f1a.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
4188	a478906f1a.exe
1088	chrome.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
1088	chrome.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4188	a478906f1a.exe
4188	a478906f1a.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
1088	chrome.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe
4188	a478906f1a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	b646aa9779.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1108	3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe	81
PID 3308 wrote to memory of 1108	3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe	81
PID 3308 wrote to memory of 1108	3308	bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe	81
PID 1108 wrote to memory of 3124	1108	explortu.exe	82
PID 1108 wrote to memory of 3124	1108	explortu.exe	82
PID 1108 wrote to memory of 3124	1108	explortu.exe	82
PID 1108 wrote to memory of 3532	1108	explortu.exe	83
PID 1108 wrote to memory of 3532	1108	explortu.exe	83
PID 1108 wrote to memory of 3532	1108	explortu.exe	83
PID 1108 wrote to memory of 1892	1108	explortu.exe	84
PID 1108 wrote to memory of 1892	1108	explortu.exe	84
PID 1108 wrote to memory of 1892	1108	explortu.exe	84
PID 3532 wrote to memory of 4360	3532	caab4d65a2.exe	85
PID 3532 wrote to memory of 4360	3532	caab4d65a2.exe	85
PID 3532 wrote to memory of 4360	3532	caab4d65a2.exe	85
PID 1108 wrote to memory of 4188	1108	explortu.exe	86
PID 1108 wrote to memory of 4188	1108	explortu.exe	86
PID 1108 wrote to memory of 4188	1108	explortu.exe	86
PID 4188 wrote to memory of 1088	4188	a478906f1a.exe	87
PID 4188 wrote to memory of 1088	4188	a478906f1a.exe	87
PID 1088 wrote to memory of 3112	1088	chrome.exe	90
PID 1088 wrote to memory of 3112	1088	chrome.exe	90
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 808	1088	chrome.exe	91
PID 1088 wrote to memory of 2544	1088	chrome.exe	92
PID 1088 wrote to memory of 2544	1088	chrome.exe	92
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93
PID 1088 wrote to memory of 1696	1088	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe
"C:\Users\Admin\AppData\Local\Temp\bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3124
- - C:\Users\Admin\1000015002\caab4d65a2.exe
    "C:\Users\Admin\1000015002\caab4d65a2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4360
- - C:\Users\Admin\AppData\Local\Temp\1000016001\b646aa9779.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\b646aa9779.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\1000017001\a478906f1a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\a478906f1a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30d2ab58,0x7ffb30d2ab68,0x7ffb30d2ab78
        5⤵
        
        PID:3112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:2
        5⤵
        
        PID:808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:2544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:1696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:1
        5⤵
        
        PID:2780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:1
        5⤵
        
        PID:1548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:1
        5⤵
        
        PID:3220
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3248 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:1
        5⤵
        
        PID:2416
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4232 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:3532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:2144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:8
        5⤵
        
        PID:4716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 --field-trial-handle=1792,i,831151700258980917,14126433520917099679,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\caab4d65a2.exe

Filesize
1.8MB

MD5
2e199225bc17ee07887864e67f89302d

SHA1
d9f741df765e92b6991efd0760dfa2610cdba173

SHA256
717cd9b7bcae5e7551cfb2ec994bfa59281796fc067048dd6ddc2a8d2f4b7c71

SHA512
af2fd93cbd4528ecd7f29ab3dfa400e6ae4e719e58ffc0fbd02f2fd25f0428e52cd51eca084c7a24bddae22479ecba18b744f7b6f8c8b650aac8d0b4df1022f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
1870654d1c2eeb99b65c2a6a1d1dacbd

SHA1
8ab90da8a7c6dfa4f1951657ca80ca9c0960013a

SHA256
435da5d33bdf0de93378714746e0ef109bc6453143943c6b5ca25cc31d3ff5fa

SHA512
817a3038f2a277b8f78528031641e44220f3f10ccb21b8a234bfb2dd41444dcf1a635159a577425743fc39b04790a0db641c58479509c3b7569e1afd7e1754ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
842e92a4077f05adbebdf3f432538c87

SHA1
2466adf4d2aa7387d119706de387ed7bb3ff3f99

SHA256
2a80fc2e9f98882e43b58443d9a7157ff2c04f58ef23a57382182c423ff3d850

SHA512
436be17ac46ae135362f618860c8540cdc24a99f1d34039b5948181547d987ad800eead5413cd56275661db8fa508d5b405f8ed7d8f59451a5c44f5a457d4b1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fe4679e27ae28ff56c44888dbed9c06c

SHA1
d6a99fc1e8018769cbbdedd60855037ec32db467

SHA256
150a4472c1ed04ceecd3cd5cde6c7a950471d0b4da13c8d7a42105f691bcbee9

SHA512
37af6393ae218f3531db30feb840f1336389f2a09d93a3cff9638d9521633c0019a10529c907a8c1e752c1942687490fdcd305ae4b80cd0d8ef0a487b75372cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
354466b4292966bbb2ad69d4048625a8

SHA1
9dab07ef452ef4109add19619af4f24d6f301ac3

SHA256
92627c4345ada531c3a26b3b0458e22662964c140b8e5df45344fdd79425d47a

SHA512
32809c16d96c41c1f1f338d1b6edee21490b59ccec2f01e1bcf5b607af690fe87b040f527b3ce98e8f670b060b95c945cef27e118f8beb0e0c929cefd089a0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
3c6f4b8f74e39882a9fa36fac86440a1

SHA1
1aa79e8669d8602be4b7e4c5aacae81d7460a7ab

SHA256
578e2938463587248fb9b7c0eaa443a83bc88d1ee4cdf47c8cd8f7cbff5cceee

SHA512
ea03d4bd03e848189d8bb6d8ac0cdcb09a365d0bc550b70d68b822c0ef71a1d7a80adda3b584fe3866a15149b60ab8b86294586856fd0a7a9b1c8aa0574c50ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
1b8bae3a264a40580045bbabc6081ca3

SHA1
1e89f131c55e241c0510d52e27bd551fe9880ade

SHA256
9c073fb412d290ec7eb5d5d64c943c8d36d74d8519502c54993235c700d93dca

SHA512
af590a7d5cb23e6a55862c7b9a529354e448a4e48153f3fa4ae94a326ac4e31421556d476677d916c5c701ae9aa4cce5b44835e186bb9731a0850d4a0db01cc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e5c1a7f38270951b963b17f17be61259

SHA1
5c232d4df0747987a19336b1a66862e53ec86581

SHA256
9612fbc673c387f3dccea5a9e2977d44db4c6322ab8b5bed759acd4c9731abfe

SHA512
fb722959888b86432b31ed54304156a44d841e58c45d185a84a9b359f79b17748c76ff1105491278439884e2aabb07bc802096d1484c1e38ad7f6960946fa995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1dcdc350c093a9e83aa96c1537402f27

SHA1
f868a10cff368bb6e287df3dc92b70d94ef5bdfd

SHA256
60c93d11a6c6e407a480d2d507c86b38bb09826a98dedf829e89aa7faadb44e0

SHA512
f05af5503afedc019fd1ab6b14468061943662a0195cf43c87720d7cacabdc219a405b2525212dce0ec21f0883cf8498e38fd012d534de3adc0fc7d706027b61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
382aec735caf66c368b4dad3b86a6842

SHA1
e576b6d067f5edd429de48b928c12dab6d33bc20

SHA256
02fa1bee1cc9ed409bef75acb6546fdc27d5eb662b23038a74a51382c4956342

SHA512
d4551bd57f57d8177d0612a187805b259c008e353cf10e95422d5325865276ddc230356fce3748de8274495709d7901d988c902bebf02d5e721e84e25328aaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\b646aa9779.exe

Filesize
1.3MB

MD5
0e5e24de451d12d5b51649955e70e046

SHA1
79594fc290c9e078f2d0da16c70e4dbd9454b023

SHA256
54975dc0e2b83571baea498229807c714716513d7f2c91c9ac99167a3fd69eeb

SHA512
110b1b8d926467fb989c3a36ce78781ae28241a4681fd8c77f61bdaf527bb81d5221b316019af3c8f6ce2096ba94363243b66674c68e32adc956f9861361cef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\a478906f1a.exe

Filesize
1.1MB

MD5
397d866946f927781483ed6d0c0ff1ff

SHA1
3d3942de5f7dc6a5f2cdb7e7dadb076278fd3453

SHA256
4263c41217331d3ca543b4a4a2bdb2a4fdbfe0127b2e68e2c8c5e9cd18936100

SHA512
cda4a92029617c83b07f1a678e82dd34b184b5728ebf1634d61faadf3223eed6ac1b7abd4818e9aba88b3ce133376e118a8ead07f3af707860b0cef63b3366d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
cd51b7700208ea7e7c81c1a06cafd36e

SHA1
132b425331c438c2833bf190f50bfdee16bc9d32

SHA256
bc7326e9d362c1a8871db1e5aaed37a0a33c9f812a0a962ec2dd1e6e41b7745a

SHA512
99b4688b74587eb062193dcb2cf15d3fad3e48e3281b73c022957fa38a304acb50afcb50941b9a829669a6b3f364f3c13535298ad10cd37905caa0aeb207b83a

Download Submit
memory/1108-185-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-18-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-21-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-246-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-239-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-20-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-136-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-137-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-19-0x0000000000D31000-0x0000000000D5F000-memory.dmp

Filesize
184KB

Download
memory/1108-147-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-210-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-236-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-254-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-242-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-163-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-164-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-262-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-206-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-203-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-283-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1108-181-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/1892-243-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-252-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-284-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-56-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-186-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-240-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-64-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-237-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-145-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-255-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-211-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-204-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-183-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-174-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-263-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/1892-207-0x00000000009D0000-0x0000000000F02000-memory.dmp

Filesize
5.2MB

Download
memory/3016-198-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/3016-201-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/3024-200-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/3024-202-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/3308-2-0x0000000000251000-0x000000000027F000-memory.dmp

Filesize
184KB

Download
memory/3308-16-0x0000000000250000-0x0000000000714000-memory.dmp

Filesize
4.8MB

Download
memory/3308-3-0x0000000000250000-0x0000000000714000-memory.dmp

Filesize
4.8MB

Download
memory/3308-4-0x0000000000250000-0x0000000000714000-memory.dmp

Filesize
4.8MB

Download
memory/3308-1-0x0000000077A26000-0x0000000077A28000-memory.dmp

Filesize
8KB

Download
memory/3308-0-0x0000000000250000-0x0000000000714000-memory.dmp

Filesize
4.8MB

Download
memory/3532-69-0x0000000000020000-0x00000000004D5000-memory.dmp

Filesize
4.7MB

Download
memory/3532-39-0x0000000000020000-0x00000000004D5000-memory.dmp

Filesize
4.7MB

Download
memory/3636-250-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/3636-247-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-205-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-212-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-285-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-241-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-184-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-238-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-253-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-71-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-256-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-244-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-146-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-208-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-264-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-175-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-187-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/4360-182-0x0000000000E30000-0x00000000012E5000-memory.dmp

Filesize
4.7MB

Download
memory/5008-251-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download
memory/5008-249-0x0000000000D30000-0x00000000011F4000-memory.dmp

Filesize
4.8MB

Download