amadey | 210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
Size

1.8MB
MD5

285c6c39fb0db3ddc06e92f2d381b0e9
SHA1

a45bd3b98806a9c6f4654134023ba9a69ca65a88
SHA256

210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d
SHA512

1d328e8a63f3b3fc2f3d9021855a2ed22a31af9da855e523b52fb33ed6bea7c8d3544985e0b267f8a5564e9f8398eecd1bc20218c972c9c0d8221a976d265c20
SSDEEP

49152:R0TVJTWYUFJIHt4P8jGSQxl1z99mpSdKMhFHADVJ:RO7KDFwq86lP1zyMfgDVJ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	667cff1c17.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	82e8c2a417.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	667cff1c17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	667cff1c17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	82e8c2a417.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	82e8c2a417.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe

Executes dropped EXE 7 IoCs

pid	Process
3780	explortu.exe
4880	explortu.exe
900	explortu.exe
4988	667cff1c17.exe
1148	82e8c2a417.exe
1368	explortu.exe
708	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	667cff1c17.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	82e8c2a417.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\667cff1c17.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\667cff1c17.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1148-157-0x0000000000640000-0x0000000000B8F000-memory.dmp	autoit_exe
behavioral2/memory/1148-189-0x0000000000640000-0x0000000000B8F000-memory.dmp	autoit_exe
behavioral2/memory/1148-190-0x0000000000640000-0x0000000000B8F000-memory.dmp	autoit_exe
behavioral2/memory/1148-191-0x0000000000640000-0x0000000000B8F000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
3780	explortu.exe
4880	explortu.exe
900	explortu.exe
4988	667cff1c17.exe
1148	82e8c2a417.exe
1368	explortu.exe
708	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 900	3780	explortu.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634521964585349"	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
3780	explortu.exe
3780	explortu.exe
4880	explortu.exe
4880	explortu.exe
900	explortu.exe
900	explortu.exe
4988	667cff1c17.exe
4988	667cff1c17.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
4292	chrome.exe
4292	chrome.exe
1368	explortu.exe
1368	explortu.exe
708	explortu.exe
708	explortu.exe
2876	chrome.exe
2876	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1148	82e8c2a417.exe
1148	82e8c2a417.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
4292	chrome.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1148	82e8c2a417.exe
1148	82e8c2a417.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe
1148	82e8c2a417.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3780	4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe	81
PID 4688 wrote to memory of 3780	4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe	81
PID 4688 wrote to memory of 3780	4688	210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe	81
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 900	3780	explortu.exe	83
PID 3780 wrote to memory of 4988	3780	explortu.exe	84
PID 3780 wrote to memory of 4988	3780	explortu.exe	84
PID 3780 wrote to memory of 4988	3780	explortu.exe	84
PID 3780 wrote to memory of 1148	3780	explortu.exe	85
PID 3780 wrote to memory of 1148	3780	explortu.exe	85
PID 3780 wrote to memory of 1148	3780	explortu.exe	85
PID 1148 wrote to memory of 4292	1148	82e8c2a417.exe	86
PID 1148 wrote to memory of 4292	1148	82e8c2a417.exe	86
PID 4292 wrote to memory of 3764	4292	chrome.exe	89
PID 4292 wrote to memory of 3764	4292	chrome.exe	89
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 1644	4292	chrome.exe	90
PID 4292 wrote to memory of 4556	4292	chrome.exe	91
PID 4292 wrote to memory of 4556	4292	chrome.exe	91
PID 4292 wrote to memory of 3508	4292	chrome.exe	92
PID 4292 wrote to memory of 3508	4292	chrome.exe	92
PID 4292 wrote to memory of 3508	4292	chrome.exe	92
PID 4292 wrote to memory of 3508	4292	chrome.exe	92
PID 4292 wrote to memory of 3508	4292	chrome.exe	92
PID 4292 wrote to memory of 3508	4292	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe
"C:\Users\Admin\AppData\Local\Temp\210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:900
- - C:\Users\Admin\AppData\Local\Temp\1000016001\667cff1c17.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\667cff1c17.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\1000017001\82e8c2a417.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\82e8c2a417.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9c509ab58,0x7ff9c509ab68,0x7ff9c509ab78
        5⤵
        
        PID:3764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:2
        5⤵
        
        PID:1644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:8
        5⤵
        
        PID:4556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2128 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:8
        5⤵
        
        PID:3508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:1
        5⤵
        
        PID:3048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:1
        5⤵
        
        PID:3056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3420 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:1
        5⤵
        
        PID:3284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:8
        5⤵
        
        PID:4260
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:8
        5⤵
        
        PID:2828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:8
        5⤵
        
        PID:1060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4104 --field-trial-handle=1832,i,15264236457272105841,1692839260673836899,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3d3c4dbd4f902aaa58e50462170f7c18

SHA1
1b5d84bb5cb73fee89f02e07d10361492c6835f8

SHA256
6bb9b6b6f6def2c8ca89be7863048255c86b75902427fb71fc9e94544f475d11

SHA512
a2edb37b6c652ed762a2aebd2f918a6b74d8448ec2edab7104696c581a4ae01af37630916d98686235519cd4c16c77133eebe8dcf8bb0a62c5fbd6829de8e3b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df5a1cfa13c56a320b8e3f67e38e36cb

SHA1
515af28079a08cb31b7d7e137b6555ebb12d2610

SHA256
7fa0c4db6006aa048744a7539fdb19075e79f8685ef33df9fd0e530365b077aa

SHA512
b924d58eb6960b9ef5f07c0c2dcef69cbb3903fe33ec1667acacccddd71b2251d29c01fd45fed6b05c4f170f11105f71990e7024b5990daaf10b034dd90e65ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11ec83895836e0ffd02399badea7b64e

SHA1
54d967da579a9643e087eafdae244ffe3e44f372

SHA256
0f8fcf316c0725269aa62a98b006fc351f2d363aea4dea4c50352ba57a13cdd6

SHA512
ea45e75c186f87bbd1d45485e3ad8cffa593d3e464d0556380df67a3a34d5d6fe52333880fd850aed4097011df26791c5fbac1774bbe13a048ee2113384c6ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
ec853228dc8d37d3d208c1e83b0bcb63

SHA1
3549532b371548158af7074a5a03bbecb84c4107

SHA256
c71bc5d9b95454980d39bf276778c76d9641a8a91ceb6ebd90a785c62d1ffcd5

SHA512
7734224cbb8add9dbab34659ea657ada23f50582a4130e7b042225629880959bbff8d8039fbbfb27e988d0edbfbc522852e0076c36ccac1fd00a29891011037b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5de988365ef4d0abc89c72f100f393f6

SHA1
7fdd18c985b562afc68ca598509bfd2f582b5221

SHA256
2752629bdf13f3a91fd9fc04ac8882824d2bec743b862f665883bdd4b9a56ce1

SHA512
a65e70e858065ad0345b14f724db18f85e3ae27b7f46b5bf5420a9754d624daf36ad22096718ef99b4f4b0f608cb9642e910d61b20b319cc0c1c84a289d872d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
61035ca005ab7a99213c62457c1f704f

SHA1
bbdb75eb5f31f9e62384d012c08740b08f7bee60

SHA256
8b29239f9193f814abbf2e61cc0d3dfa283bff1c30e36110f91a9629e8ac6acf

SHA512
3cdb63a1928d86fbb03165754b052c6c1ebc9181eb122d66f11ca293358267d7d2abeacdfd12cc377c67907b3a53552f3d7af889c223eef7dcfcd00eada3eef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
8b48866b57dca2fe0cbb37e0c40f80b0

SHA1
fb1e5d71f6d62980bb8d84a1cd5c784a9c20291d

SHA256
1eb73957466f1382c6a07e0f50e47b2b26d98afc67a48e7a6db3b499e912d93b

SHA512
e9905dd6d0719ea510be4dd4ca654aecb550a45d6af143606b1d35eeb5b3c68fd463d96ba1753f4403d5d138bfde31dc0307829bfb4afe6bf3e663444bf4eb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\667cff1c17.exe

Filesize
2.3MB

MD5
39b6052c1751a9f1f4bc5b585a85cfb4

SHA1
9cb1137ff9d41ff5ffca1f8670a07d8312b7fc9d

SHA256
0970804338ce1dd9edd1c56b2f2521d4acd2744197f7c8a1031ac7a928aa1808

SHA512
234ddcac8fcbaa0d5b17e0f1e691ccdcaa9778bf978743f4161450d7089b32b3fb0543d0680c3618230d690cf2ebd5e392174b6c32210ccdb402c4376ad7415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\82e8c2a417.exe

Filesize
2.3MB

MD5
7736b1952eb7a235b633bae811bad357

SHA1
8cf031001ef87af7864cf1a80553c19c1dde08d9

SHA256
e38c194946ed747b5364184069471352ccd6317b999784e80c9685a09c1e0545

SHA512
39b3c32a38804b200885741648f1c9215a394e44d0c06059c4709c90c15f3140b4a33f12287005e7969984b0a00216b8d72db1b2d637a9c453593638d5b8a650

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
285c6c39fb0db3ddc06e92f2d381b0e9

SHA1
a45bd3b98806a9c6f4654134023ba9a69ca65a88

SHA256
210493f0e2d4f7b30dc57e1fddf0ab1a8110b439725f7455a0b6a2c124407b4d

SHA512
1d328e8a63f3b3fc2f3d9021855a2ed22a31af9da855e523b52fb33ed6bea7c8d3544985e0b267f8a5564e9f8398eecd1bc20218c972c9c0d8221a976d265c20

Download Submit
memory/708-238-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/708-239-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/900-40-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-47-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-29-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-33-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/900-49-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-48-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-52-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-55-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-56-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-58-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-61-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-63-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-62-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-60-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-57-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-59-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-54-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-53-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-51-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-32-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-50-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-46-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-45-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-43-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-42-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-41-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-39-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-38-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-36-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-35-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-44-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-34-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/900-37-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/1148-157-0x0000000000640000-0x0000000000B8F000-memory.dmp

Filesize
5.3MB

Download
memory/1148-191-0x0000000000640000-0x0000000000B8F000-memory.dmp

Filesize
5.3MB

Download
memory/1148-190-0x0000000000640000-0x0000000000B8F000-memory.dmp

Filesize
5.3MB

Download
memory/1148-189-0x0000000000640000-0x0000000000B8F000-memory.dmp

Filesize
5.3MB

Download
memory/1148-103-0x0000000000640000-0x0000000000B8F000-memory.dmp

Filesize
5.3MB

Download
memory/1368-208-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1368-209-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-205-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-18-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-232-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-213-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-156-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-102-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-233-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-20-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-19-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-235-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-182-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-240-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-210-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-101-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-25-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-229-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-192-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-82-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/3780-194-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/4688-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

Filesize
184KB

Download
memory/4688-3-0x0000000000FA0000-0x0000000001447000-memory.dmp

Filesize
4.7MB

Download
memory/4688-0-0x0000000000FA0000-0x0000000001447000-memory.dmp

Filesize
4.7MB

Download
memory/4688-17-0x0000000000FA0000-0x0000000001447000-memory.dmp

Filesize
4.7MB

Download
memory/4688-1-0x0000000077286000-0x0000000077288000-memory.dmp

Filesize
8KB

Download
memory/4688-4-0x0000000000FA0000-0x0000000001447000-memory.dmp

Filesize
4.7MB

Download
memory/4880-24-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/4880-26-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/4880-22-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/4880-23-0x0000000000C60000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/4988-206-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-230-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-231-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-214-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-211-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-234-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-195-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-236-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-193-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-83-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-183-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download
memory/4988-155-0x0000000000CD0000-0x00000000012D7000-memory.dmp

Filesize
6.0MB

Download