amadey | 76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
19/06/2024, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
Size

1.8MB
MD5

dcd5cc4deeef7db596ffab6e0e45bcde
SHA1

3d417ed61b4d924bdb3f2d6450adb9f87c61b442
SHA256

76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5
SHA512

22eb0fad86a4674f8c34368e437a82b86db7d3f23d5b03742cca3ab60360a0bdfc961b3b9cd3d6eb5fb9849c7dad7becd95c413f33e85d3f1685fb55abcbd660
SSDEEP

49152:Z6x5doAtUJTLSUs+dvnHGUUHNKpN6Svgy4MatJ46E5cLgJ:Eble8qpmUUvCb4MWaIgJ

Score

10^/10

amadey risepro 0e6740 e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cb7a11648f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec7ae35581.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cb7a11648f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cb7a11648f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec7ae35581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec7ae35581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 9 IoCs

pid	Process
4752	explortu.exe
2032	cb7a11648f.exe
3996	axplong.exe
1888	ec7ae35581.exe
480	9644414553.exe
5560	axplong.exe
5584	explortu.exe
5616	axplong.exe
5640	explortu.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	ec7ae35581.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	cb7a11648f.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec7ae35581.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ec7ae35581.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000002aa98-77.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
4752	explortu.exe
2032	cb7a11648f.exe
3996	axplong.exe
1888	ec7ae35581.exe
5560	axplong.exe
5584	explortu.exe
5616	axplong.exe
5640	explortu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
File created	C:\Windows\Tasks\axplong.job	cb7a11648f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632881253529992"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{D653C635-CB6B-4C7C-8A41-7520935A6344}	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
4752	explortu.exe
4752	explortu.exe
2032	cb7a11648f.exe
2032	cb7a11648f.exe
3996	axplong.exe
3996	axplong.exe
1888	ec7ae35581.exe
1888	ec7ae35581.exe
2052	chrome.exe
2052	chrome.exe
5560	axplong.exe
5560	axplong.exe
5584	explortu.exe
5584	explortu.exe
5616	axplong.exe
5616	axplong.exe
5640	explortu.exe
5640	explortu.exe
4640	chrome.exe
4640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe
Token: SeShutdownPrivilege	2052	chrome.exe
Token: SeCreatePagefilePrivilege	2052	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
480	9644414553.exe
480	9644414553.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
480	9644414553.exe
2052	chrome.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
2052	chrome.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
480	9644414553.exe
480	9644414553.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe
480	9644414553.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4752	2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe	80
PID 2572 wrote to memory of 4752	2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe	80
PID 2572 wrote to memory of 4752	2572	76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe	80
PID 4752 wrote to memory of 3444	4752	explortu.exe	87
PID 4752 wrote to memory of 3444	4752	explortu.exe	87
PID 4752 wrote to memory of 3444	4752	explortu.exe	87
PID 4752 wrote to memory of 2032	4752	explortu.exe	88
PID 4752 wrote to memory of 2032	4752	explortu.exe	88
PID 4752 wrote to memory of 2032	4752	explortu.exe	88
PID 2032 wrote to memory of 3996	2032	cb7a11648f.exe	89
PID 2032 wrote to memory of 3996	2032	cb7a11648f.exe	89
PID 2032 wrote to memory of 3996	2032	cb7a11648f.exe	89
PID 4752 wrote to memory of 1888	4752	explortu.exe	90
PID 4752 wrote to memory of 1888	4752	explortu.exe	90
PID 4752 wrote to memory of 1888	4752	explortu.exe	90
PID 4752 wrote to memory of 480	4752	explortu.exe	91
PID 4752 wrote to memory of 480	4752	explortu.exe	91
PID 4752 wrote to memory of 480	4752	explortu.exe	91
PID 480 wrote to memory of 2052	480	9644414553.exe	92
PID 480 wrote to memory of 2052	480	9644414553.exe	92
PID 2052 wrote to memory of 1264	2052	chrome.exe	95
PID 2052 wrote to memory of 1264	2052	chrome.exe	95
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 3088	2052	chrome.exe	96
PID 2052 wrote to memory of 4908	2052	chrome.exe	97
PID 2052 wrote to memory of 4908	2052	chrome.exe	97
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98
PID 2052 wrote to memory of 2596	2052	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe
"C:\Users\Admin\AppData\Local\Temp\76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3444
- - C:\Users\Admin\1000015002\cb7a11648f.exe
    "C:\Users\Admin\1000015002\cb7a11648f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3996
- - C:\Users\Admin\AppData\Local\Temp\1000016001\ec7ae35581.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\ec7ae35581.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\1000017001\9644414553.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\9644414553.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4dd7ab58,0x7fff4dd7ab68,0x7fff4dd7ab78
        5⤵
        
        PID:1264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=584 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:2
        5⤵
        
        PID:3088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:4908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:2596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:1
        5⤵
        
        PID:4604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:1
        5⤵
        
        PID:1184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3540 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:1
        5⤵
        
        PID:4756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3364 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:1
        5⤵
        
        PID:3392
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4428 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:3516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:2036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:3524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:5236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:8
        5⤵
        
        PID:5244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1788,i,12108016281955420071,11492690337798879003,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5560

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5584

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5616

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000015002\cb7a11648f.exe

Filesize
1.8MB

MD5
49b1779e0790335706a9d4309ea5c67a

SHA1
6be00d520eaf69e3a408c4035409070f995d52e0

SHA256
ed29dfb2fa4ec6922f2f57e28990800a1395be023f18fa4d8bb617daf3b61361

SHA512
b83877a5ce3e50f59c26538aa39225a7047bb314368918f315a5972de446553e83e124437ae5c5083285b6f6ddd20b1ef47fc270cee6078c592bddd71eeac49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
dde8bef9a770a4d45d225b0e38f772af

SHA1
4d4fc9b7d7b10a5f883b3d6f7e89a68bbc8771aa

SHA256
f74bcd7df01e375f90a4410d8e1b7b1bbcf22039fa8cdcf0ec48e03decbfd2dc

SHA512
f4bc7981e6a7e04066b6afac83a8edbd2556bf1cbcb8a920998503587f3a2d6c833664cf042aa358a5b96fa815d7721b24f7a388ceaaf63692407367cffacbd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\69cf3710-690d-43c0-a1d9-678fe92dc647.tmp

Filesize
2KB

MD5
f4324e2136920798c283c0882094671b

SHA1
2778556b83273f65c924f052798effb67450578f

SHA256
cc8975ef2a9501063e551d55cdafb3b8b3fd2c1d50a5c52692a350be9134a74f

SHA512
0b5098bd8969a44b056761cf8e69a0ee6d0df95b9801d78f754c8deef3daaa470f619b217db3709397ff7a1bf6128e8def74c302c77437bde96f6b5dace10aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2878ac3b5728934ab2cb09616b1bdf4a

SHA1
30d8fbd3bbe6608d95901fff13d615d5a208a736

SHA256
2864d033cf65d57069cea340f35eaeba6afba8e244990e6632e58b0d64b36443

SHA512
779f28e5b5ff79b4dc1f5649751e6d852ade0c938256c02f90248e37563661c807879f1a6258301d326cad7d54849c28e0dc9d839c14324f7bca3ca88b4bb622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
6b8f688c9cc72962890b71cf3d357fe1

SHA1
3cda63a8d80be1a5ee68694a0101921b26a630b1

SHA256
524a30d3570a9ea185db60f56b487efdce8b345f6b32a81d15f5c8b49626a698

SHA512
105563ee2d9c273bd37fafcd1babb2a1deff37af27c68ee9f98eb38f306c5a6d4cd60cea7f37f83837c197f84f824f79d41676cb0dd77e858986fec0dff6f583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
e9a664efb19e57dba2b4fd465dfe0f18

SHA1
9da6754d30df1fd288139f0e12c939b27a66aeb8

SHA256
6fcb3a0392307b8b2498e3d1aacbf7abed49287b5ab02b4cb029b45a008ca02f

SHA512
a2dad317a680713b5e10d1cf999693b44db01da6c5b8e88a24a408b081bf116d45a91a74967af2efbb920db6af82c6ab3ba28b46d68f9c6327c912974502d5bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\acd8f175-88ca-4c3a-b3a8-397efcdacc11.tmp

Filesize
522B

MD5
db3fd461787d4e4d440628671a333782

SHA1
1ad84e9c90246b03fc8dcf9772264f76b4575d9a

SHA256
cca4b59acc7cfc09e1528af8ef926fb6a3aa93bbd5cbdda2b30ccd8c12f0d7e2

SHA512
8eab65cfb2ec59a4b46320b0ea9edab2c2d3a8f08d34d8ed41ed02a297c24adee9cc632e2f220afa0f02bfd0458eb198f9a73d0d9b373096f627a0e2266c802d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
90b11e0cb3d23ac9dabfd3eadb5987ef

SHA1
baba10a8139dc1e62ab02a18da90d3350e02b3ee

SHA256
ec10b31bf2ad75183598aebba4b44a0a8b62aea92acaf6e93134bc7f11144151

SHA512
567364837d470d92f2c72c97cfb106d5bea841d13b44a0a8cd6c7987ed5b2532a68b00edda4a211cc5c7f90f33e54ee66aa47a909a506cf7bd49d0cafa1b55b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1d92c9cd0e7d54532fc14b8e49581b88

SHA1
bc8fef37af541833a6d337186b3c17437da51982

SHA256
0d3c186dc80167c4728fd9c2d3a5ec1ddb3f9f3b0d30f2023f0218cb11931fb2

SHA512
aa86672784b26e8192c78d6b1af467be12384113e8af4353e27940e399bdcc965229543eb92cb16894030bdf9ef3c9a3112e48ff5b6cd3760545b5c36f570755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
2876ca6f035796454fea606a2a3c7f00

SHA1
b9e4c3dc5a5a2a2b63869555ac06d81db81577b5

SHA256
c97ad7b37e85328c03a7c26746a0339034670a80141fbb96875abecac4aa11bb

SHA512
85b9deb68ee682032de83018ff8b6a38ebbf67800cc1b11ba5d905ec22aada2b5d190666a13db743eb7fda8f39e81ef405208fcd739a05544bc60482661860da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\ec7ae35581.exe

Filesize
2.4MB

MD5
813a28cde67e57d0c490c820e18753ac

SHA1
236f9fb76209746d9ca26a68bd71e88df32eee87

SHA256
d3f0ec904629094be46b90ff41e9919e09833a349af8f81c2e55937d366ee3eb

SHA512
900d9280b24efc483d83e43157c207aeeaa66aa46055332227f52991d0543d218bb8dcb49763d63975a48889626f541e417b073513d2b7b75ec820a294a323bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\9644414553.exe

Filesize
1.1MB

MD5
3aa4eb09e27cf260c29ceda9db44f407

SHA1
6de01b40e72256080a0977bba6e4da5ef45baa9e

SHA256
8e1f27945823bee545039a37f7d43737ba5c5ba1f2292b7e8ee0015b0f150964

SHA512
0d35151c76233a7da0838b3da3045c268bc757b963baf4e42dac8408d6a3207bc39b1f025c1a2b0ff46623ab5c15b8674d00c379c90de1017499fc0f435ce126

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
dcd5cc4deeef7db596ffab6e0e45bcde

SHA1
3d417ed61b4d924bdb3f2d6450adb9f87c61b442

SHA256
76c389a26a9dace3d662a2ec402e1d6518cb34883ff362116d624d3f47b577c5

SHA512
22eb0fad86a4674f8c34368e437a82b86db7d3f23d5b03742cca3ab60360a0bdfc961b3b9cd3d6eb5fb9849c7dad7becd95c413f33e85d3f1685fb55abcbd660

Download Submit
memory/1888-266-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-239-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-191-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-194-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-179-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-252-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-249-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-206-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-209-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-258-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-72-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-255-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-146-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-175-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/1888-213-0x0000000000CF0000-0x0000000001312000-memory.dmp

Filesize
6.1MB

Download
memory/2032-39-0x00000000004B0000-0x000000000095F000-memory.dmp

Filesize
4.7MB

Download
memory/2032-52-0x00000000004B0000-0x000000000095F000-memory.dmp

Filesize
4.7MB

Download
memory/2572-2-0x0000000000C11000-0x0000000000C3F000-memory.dmp

Filesize
184KB

Download
memory/2572-3-0x0000000000C10000-0x00000000010D8000-memory.dmp

Filesize
4.8MB

Download
memory/2572-16-0x0000000000C10000-0x00000000010D8000-memory.dmp

Filesize
4.8MB

Download
memory/2572-5-0x0000000000C10000-0x00000000010D8000-memory.dmp

Filesize
4.8MB

Download
memory/2572-0-0x0000000000C10000-0x00000000010D8000-memory.dmp

Filesize
4.8MB

Download
memory/2572-1-0x0000000076F66000-0x0000000076F68000-memory.dmp

Filesize
8KB

Download
memory/3996-190-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-174-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-53-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-254-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-193-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-251-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-145-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-205-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-248-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-257-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-208-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-265-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-238-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/3996-212-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/4752-207-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-264-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-164-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-163-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-211-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-147-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-241-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-20-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-189-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-223-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-21-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-19-0x0000000000441000-0x000000000046F000-memory.dmp

Filesize
184KB

Download
memory/4752-204-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-250-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-276-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-105-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-253-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-192-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-18-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/4752-256-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/5560-177-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/5560-181-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/5584-180-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/5584-183-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/5616-245-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/5616-242-0x0000000000F20000-0x00000000013CF000-memory.dmp

Filesize
4.7MB

Download
memory/5640-247-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download
memory/5640-244-0x0000000000440000-0x0000000000908000-memory.dmp

Filesize
4.8MB

Download