amadey | 8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
19/06/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
Size

1.8MB
MD5

c5983a659ebf4221947d6f2b172046e4
SHA1

6780c29a68b77b8cf8dd41644c68e54d6675a6b4
SHA256

8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606
SHA512

6756d6cdeda152d8b2654895882082f51c4df2d684df9f46b5449293a5191bb24d1617a7335a0b0f46b4317010541c7cfe43a50498dbb303d0bb8de0ed2ec8c6
SSDEEP

49152:mrZOC8qzpKL2dXV/2o6uDvaqgnjIgWyHX6:J84+fy36

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	97d47ea031.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	97d47ea031.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	97d47ea031.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
3900	explortu.exe
3608	97d47ea031.exe
3092	axplong.exe
1008	a90aa11b89.exe
4116	axplong.exe
952	explortu.exe
884	688bf2bbb4.exe
4228	axplong.exe
564	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	97d47ea031.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	axplong.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\a90aa11b89.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\a90aa11b89.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa77-93.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
3900	explortu.exe
3608	97d47ea031.exe
3092	axplong.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
4116	axplong.exe
952	explortu.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
4228	axplong.exe
564	explortu.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe
1008	a90aa11b89.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
File created	C:\Windows\Tasks\axplong.job	97d47ea031.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632736885668104"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2394516847-3409208829-2230326962-1000\{15B4263D-8EBE-4954-9B44-75590E87BEE4}	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
3900	explortu.exe
3900	explortu.exe
3608	97d47ea031.exe
3608	97d47ea031.exe
3092	axplong.exe
3092	axplong.exe
4116	axplong.exe
4116	axplong.exe
952	explortu.exe
952	explortu.exe
2736	chrome.exe
2736	chrome.exe
4228	axplong.exe
4228	axplong.exe
564	explortu.exe
564	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
884	688bf2bbb4.exe
884	688bf2bbb4.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
884	688bf2bbb4.exe
2736	chrome.exe
884	688bf2bbb4.exe
2736	chrome.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
884	688bf2bbb4.exe
884	688bf2bbb4.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe
884	688bf2bbb4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	a90aa11b89.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3900	1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe	77
PID 1660 wrote to memory of 3900	1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe	77
PID 1660 wrote to memory of 3900	1660	8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe	77
PID 3900 wrote to memory of 4004	3900	explortu.exe	78
PID 3900 wrote to memory of 4004	3900	explortu.exe	78
PID 3900 wrote to memory of 4004	3900	explortu.exe	78
PID 3900 wrote to memory of 3608	3900	explortu.exe	79
PID 3900 wrote to memory of 3608	3900	explortu.exe	79
PID 3900 wrote to memory of 3608	3900	explortu.exe	79
PID 3608 wrote to memory of 3092	3608	97d47ea031.exe	80
PID 3608 wrote to memory of 3092	3608	97d47ea031.exe	80
PID 3608 wrote to memory of 3092	3608	97d47ea031.exe	80
PID 3900 wrote to memory of 1008	3900	explortu.exe	81
PID 3900 wrote to memory of 1008	3900	explortu.exe	81
PID 3900 wrote to memory of 1008	3900	explortu.exe	81
PID 3900 wrote to memory of 884	3900	explortu.exe	84
PID 3900 wrote to memory of 884	3900	explortu.exe	84
PID 3900 wrote to memory of 884	3900	explortu.exe	84
PID 884 wrote to memory of 2736	884	688bf2bbb4.exe	85
PID 884 wrote to memory of 2736	884	688bf2bbb4.exe	85
PID 2736 wrote to memory of 4400	2736	chrome.exe	88
PID 2736 wrote to memory of 4400	2736	chrome.exe	88
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1148	2736	chrome.exe	89
PID 2736 wrote to memory of 1876	2736	chrome.exe	90
PID 2736 wrote to memory of 1876	2736	chrome.exe	90
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91
PID 2736 wrote to memory of 1796	2736	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe
"C:\Users\Admin\AppData\Local\Temp\8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4004
- - C:\Users\Admin\1000015002\97d47ea031.exe
    "C:\Users\Admin\1000015002\97d47ea031.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3092
- - C:\Users\Admin\AppData\Local\Temp\1000016001\a90aa11b89.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\a90aa11b89.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\1000017001\688bf2bbb4.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\688bf2bbb4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8838fab58,0x7ff8838fab68,0x7ff8838fab78
        5⤵
        
        PID:4400
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:2
        5⤵
        
        PID:1148
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:1876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:1796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:1
        5⤵
        
        PID:2664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:1
        5⤵
        
        PID:4784
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4004 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:1
        5⤵
        
        PID:1556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3428 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:1
        5⤵
        
        PID:4252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4464 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:4460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:3416
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:3832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1828,i,12778154225811470717,8972228381441305109,131072 /prefetch:8
        5⤵
        
        PID:4224

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\97d47ea031.exe

Filesize
1.8MB

MD5
4e283e66074f88a23026f5b63669478a

SHA1
2f103fd786b5cf04a59fa477ffb5a82ccc66184c

SHA256
4ef53fd60a02e9a6f969d85607046f597d290fd103c4f3ffafd6c4f619420b7d

SHA512
fd7e6f7ee882f4bdc0ce45f27979b1f17758032b3a9da47ac87042b1663122df504091ff9599e06b66163b9559c4654c6843778b4f60539d610148c0c748cbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6fad0f77498548eae6f4be2a9c95373d

SHA1
67835481cf495f858dc49b160385f87655416f25

SHA256
4a0c26901aa553a166c9e167452ba0d8ca5e24527d60a2c2ac1f4affdf0e71df

SHA512
99c599c28a74767848f37e0f7b48cda48472e0aadd69e1d1b8a7854ad490a84e0b8260076220b857c3c95e8be5fbb87dd1c76fc02c1145d0b63dd41c95b3115e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1f70c06bc6808f4d0a43f8037f1073a3

SHA1
ee441f1ba7c8b6fe4f92f54d736d2910edb39854

SHA256
5c180cc343c26ffdb8c04835fdf573c777aa3ee3d81914b368553bcf32001717

SHA512
9389db5010096ac4152adbe18d3ddf0c0491077c944e56909dd2499c2dd216605f6b0c50bc797572571e77b091a7ec911180d6aaa4c09af29b3290bc751c5d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1cda8fc94ca3a63378ace4d0f449106d

SHA1
20319bdd4f72a7765ab02ccf8a22c9f024ed5f1a

SHA256
71b073f8048ebb0ab22a85338d856a0f90be562c21b4684d9968048177e405ec

SHA512
5352b1b62dcc42e0d2b2c726f15013859350d05adf475910a5d5cadc2ce4c3b969e2580b801562635287e350cc3cd6fa0dcd82b6e816cdf0fd14e11969906811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
5f247ebefcf85a3d0d516c1f36d85d88

SHA1
e56ed92d1450244015e4a8ccd8052d09490670f0

SHA256
998b2da0251430dab47a5d7a41174412ef6546515377c87e9c254d86f77171f1

SHA512
8efca1c4eb1947238101045796fab6906ad1014daaab8d11bed1c9fffe460bc5a3e8ca98860d893ec2a276189c5d7c685073cc8fbe17f20056fdf14806fa51c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
a703d62ca0a429e3891fee1b67e29659

SHA1
e0d43c615f5417d3c25c843c232bfb1654037c54

SHA256
66946f61fa2dff13db7c2b5a9ed163f27ae1fe16d8c0138b35c51f8e1e1fb893

SHA512
2ef15a4a9c283b35a287ac38ce3a482e0fa67c78eb7452d52c51a0cc3cbe16ea6c3f77a76e4b05e00a22c55345fc1f5a1e731c4989034feae2ac80eb842de94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
271adb6db588d1e5e91de386af44d3e3

SHA1
70d3e5cae5e54bf2cf39111f04073972db5ce3c3

SHA256
b6c6eebb21fa944295ad51e53f42267263b500abb5d034d53a57c12bd1a2e33b

SHA512
b83764d30bd0a67466d4ca9e442c817bb88a54cb836329eb7aa9f1a8a26348e3109562266ebdd67fc127720fb9afa19adcfa32b63267bec9e7431facffe3f87d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
032752ba65cf05e7c7c59ffe8f8c8f54

SHA1
6491dec5f3f090e5fccf105f45773be7ff202c04

SHA256
1b452046f487cb7ee88c4defe765fcc545bbcaa95bb12094bb4d5d858b2f674d

SHA512
15fee5a6f4b5f9b073952733218eef9c01b53e2358029a00efcedc42326b9fe9836520f932ae9fd0d62baef3bf30f34c04ef25edf4ef79af5ceb4bfb7d1a2f30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
3553342f522e9725db3ffb0dc33a02cc

SHA1
a6ed0150946f6d8b92022f5d40accec206600797

SHA256
89e128ca4e90ba23a885187680cbea87ee449b4d25b61ea09a3337f190221d6a

SHA512
8ceb37943991fd8c527f8f33d7691e1cfcabbecd8e63877c7ff63efb21f039f702b1a2c78f89ca8a96337c70a81602563f8b1223d44345e5567715f59ed7be87

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\a90aa11b89.exe

Filesize
1.3MB

MD5
f22fb8771e211aeb78245a57f2a1d837

SHA1
357e680581d4cd1f4f49ae015649455843d85033

SHA256
352fa07a1269bacd2422cd60c8ccc24e95cdfcdd04b1fd1c37e6e8c71f9203e3

SHA512
3519d0d25440ab73965c0dd5d0e57b154894d2d198d504407502603f77f56ae1b551e612fe1ed6f623a94cfbd8c7626c66cb201dcd0db080df23f7ef9f113097

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\688bf2bbb4.exe

Filesize
1.1MB

MD5
e612c0e5a19084c77d0dc36c1d4e3f3c

SHA1
6101f92da4935db14d43e313d386f4ddb1a904cb

SHA256
9e2c635067d1ddc1147af34ea8d3479ed552d6b8de64f4633e76a41eed439ec0

SHA512
596ee9232e94852715ba5e675ba1cb4d54bc7b68ad961a1a7386831810d11e8621e5102b5e48df0360593ec0d77b06f1c017b9a4210bd8945ed8b320d5fb6848

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
c5983a659ebf4221947d6f2b172046e4

SHA1
6780c29a68b77b8cf8dd41644c68e54d6675a6b4

SHA256
8491dd6b7b8fa67897edd50d8153ff2010f5bcf6058d5b1a1b7927c8e7bbe606

SHA512
6756d6cdeda152d8b2654895882082f51c4df2d684df9f46b5449293a5191bb24d1617a7335a0b0f46b4317010541c7cfe43a50498dbb303d0bb8de0ed2ec8c6

Download Submit
memory/564-227-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/564-224-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/952-88-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/952-85-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/1008-260-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-217-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-162-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-76-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-194-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-202-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-230-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-205-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-266-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-82-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-71-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-220-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-269-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1008-263-0x00000000005F0000-0x0000000000B22000-memory.dmp

Filesize
5.2MB

Download
memory/1660-0-0x0000000000D10000-0x00000000011CF000-memory.dmp

Filesize
4.7MB

Download
memory/1660-2-0x0000000000D11000-0x0000000000D3F000-memory.dmp

Filesize
184KB

Download
memory/1660-3-0x0000000000D10000-0x00000000011CF000-memory.dmp

Filesize
4.7MB

Download
memory/1660-1-0x00000000778D6000-0x00000000778D8000-memory.dmp

Filesize
8KB

Download
memory/1660-17-0x0000000000D10000-0x00000000011CF000-memory.dmp

Filesize
4.7MB

Download
memory/1660-5-0x0000000000D10000-0x00000000011CF000-memory.dmp

Filesize
4.7MB

Download
memory/3092-229-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-201-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-271-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-80-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-268-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-193-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-161-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-265-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-262-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-219-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-74-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-259-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-204-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-216-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3092-54-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/3608-39-0x0000000000760000-0x0000000000C05000-memory.dmp

Filesize
4.6MB

Download
memory/3608-40-0x0000000000760000-0x0000000000C05000-memory.dmp

Filesize
4.6MB

Download
memory/3608-53-0x0000000000760000-0x0000000000C05000-memory.dmp

Filesize
4.6MB

Download
memory/3900-75-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-173-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-18-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-270-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-19-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-218-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-228-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-215-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-79-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-240-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-78-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-77-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-203-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-20-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-261-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-21-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-131-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-264-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-195-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-73-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/3900-267-0x00000000008F0000-0x0000000000DAF000-memory.dmp

Filesize
4.7MB

Download
memory/4116-86-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/4116-83-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/4228-226-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download
memory/4228-222-0x00000000005E0000-0x0000000000A85000-memory.dmp

Filesize
4.6MB

Download