amadey | ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
22/06/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
Size

1.8MB
MD5

5d8db7f0c0a8012c52645788c3b45bb3
SHA1

97dc9c3f109f7df727c53931f919a0fe12896382
SHA256

ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db
SHA512

1dbf1829315df0636b99bea3c83134726e382c1db2c78f32d38cac74c7b5617f2564abed6fe2920009fde682a01e79108f62b0ee0925645847de76cfdfb2e9e7
SSDEEP

24576:HAFe3VaOVG6h4xx7XjCLCJcv5EyQebU+aBpj+d5/yD3I/JPqaMymIzcoegP81q+O:HAFcVU6cxHACcEmbUIPVmIzJPgZ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b13332e8e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d891002705.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b13332e8e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b13332e8e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d891002705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d891002705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 5 IoCs

pid	Process
1380	explortu.exe
4932	2b13332e8e.exe
1028	d891002705.exe
1480	explortu.exe
3176	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	2b13332e8e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	d891002705.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\2b13332e8e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\2b13332e8e.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1028-121-0x0000000000400000-0x0000000000951000-memory.dmp	autoit_exe
behavioral2/memory/1028-155-0x0000000000400000-0x0000000000951000-memory.dmp	autoit_exe
behavioral2/memory/1028-162-0x0000000000400000-0x0000000000951000-memory.dmp	autoit_exe
behavioral2/memory/1028-163-0x0000000000400000-0x0000000000951000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
1380	explortu.exe
4932	2b13332e8e.exe
1028	d891002705.exe
1480	explortu.exe
3176	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635076363749638"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
1380	explortu.exe
1380	explortu.exe
4932	2b13332e8e.exe
4932	2b13332e8e.exe
1028	d891002705.exe
1028	d891002705.exe
2740	chrome.exe
2740	chrome.exe
1480	explortu.exe
1480	explortu.exe
2740	chrome.exe
2740	chrome.exe
3176	explortu.exe
3176	explortu.exe
4676	chrome.exe
4676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
1028	d891002705.exe
2740	chrome.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe
1028	d891002705.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1380	3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe	82
PID 3900 wrote to memory of 1380	3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe	82
PID 3900 wrote to memory of 1380	3900	ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe	82
PID 1380 wrote to memory of 996	1380	explortu.exe	83
PID 1380 wrote to memory of 996	1380	explortu.exe	83
PID 1380 wrote to memory of 996	1380	explortu.exe	83
PID 1380 wrote to memory of 4932	1380	explortu.exe	84
PID 1380 wrote to memory of 4932	1380	explortu.exe	84
PID 1380 wrote to memory of 4932	1380	explortu.exe	84
PID 1380 wrote to memory of 1028	1380	explortu.exe	85
PID 1380 wrote to memory of 1028	1380	explortu.exe	85
PID 1380 wrote to memory of 1028	1380	explortu.exe	85
PID 1028 wrote to memory of 2740	1028	d891002705.exe	86
PID 1028 wrote to memory of 2740	1028	d891002705.exe	86
PID 2740 wrote to memory of 1340	2740	chrome.exe	89
PID 2740 wrote to memory of 1340	2740	chrome.exe	89
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 4016	2740	chrome.exe	90
PID 2740 wrote to memory of 1588	2740	chrome.exe	91
PID 2740 wrote to memory of 1588	2740	chrome.exe	91
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92
PID 2740 wrote to memory of 3960	2740	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe
"C:\Users\Admin\AppData\Local\Temp\ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\1000016001\2b13332e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\2b13332e8e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\1000017001\d891002705.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\d891002705.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbfb65ab58,0x7ffbfb65ab68,0x7ffbfb65ab78
        5⤵
        
        PID:1340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:2
        5⤵
        
        PID:4016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:1588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:3960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:1
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:1
        5⤵
        
        PID:3700
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:1
        5⤵
        
        PID:4128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:2776
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:4944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:5108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:4556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:8
        5⤵
        
        PID:3828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1844,i,1103602362628421338,3981897800573428005,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\17b8e6dd-8ed2-4768-855a-c2d4bc487f41.tmp

Filesize
16KB

MD5
8222cce3ff6ace0e6666ae2cedfb7904

SHA1
50705e183a208cb217e6f5808f8ddc1a276049a8

SHA256
ecd72eedb7fdae356a4b850648b0b6dd53fe2aa247b3e0b2fd0fa92a44b2aa25

SHA512
58b56ebfdf8ae2585c0b8779fa22baf21120efedb9d783ada3f6c841b4021335e12ec1641181652228f1b3d0531383264ea0c15147a9644d497344104710e82d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
57f69faa7ae5c575db9fa9c67dda56c5

SHA1
5b548b14a2132898be63f72bba0cd61376f98b20

SHA256
b73bb0121971a3e4fd66f6fb4b6a4529b3a7bb58ae7c0cfc087fcd2ffdb96397

SHA512
de2dfeffb764cd73f4480318e74eb34d7a30a543a9ee01b59a9b8346083a7c595d894d4a6c499fbc21bf9102c8ed4872e52c711c6db42d1604ae97613317d95a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
53b2228e3c972e0dedd93955a8874e91

SHA1
4608ba0c9fbc5fbc2dfc8970ada064a098a2fe38

SHA256
92c1b119aaaac11647553ff01cd247c5c1458c1b23281566bff9d405308773dc

SHA512
6872c2c80d5de4b325389d5fc115206c498d6415ec22f6ae3bdd220405aa23094384ee45fb9ceac8b57ee07f9aaa089db2a27da53fd970d6235b863491f435ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1c876223d7693433d696a8b3af4f724b

SHA1
3e317a72b1bc0f071181cdf8622ee2aeb745495f

SHA256
dc1669ace37cc168ce7eaaa7a157086c8f8e44c441d105f64a1eb23315bc392f

SHA512
0ae99cb03e1ac2dee91837c405c1046b9616db566dcd3b78ab26b811edfad34dd544c8c325090f5b304dca9e6cafc0aae3c5500392c745bfa840e4dc6134eebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
284d13d895adcd98536d2564e2a270b0

SHA1
4bcb005ed9f975a8d60677046098edb0fadee706

SHA256
1b6087db9643c6685ffc1746a43506f63cf6fb2f5998f2384e8a89f4dfb81130

SHA512
706e42ef641da5b4588917bf5f1f7f7546065cfe0961d6d8f5245b1a450f9ebe8a73b83fcb55df60d1e8b01febd263c0282ea0154c0a78be7060b4647ecace98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a76189afb1138f00f1e34628075bf278

SHA1
7c79d79b0e5f8f48aa7dc12ff7aed88628193e5f

SHA256
4782921e3cc4923c46da5d0ce7f256577c005648e63429f4f129cee9599f26ae

SHA512
efb8dbe8cb0131ee4f960ef8694c9bb95f1a0c050d315f1ae3320fe5b4594983da8d4df7a0fb3c51ed550f11e39b2c98a4adcd35d1e41d5111f8a3e2c4457dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
00c535e2495a2588ea265cc0bc76a8db

SHA1
7817b6013607e41712e4d6be5b765be58ec2e667

SHA256
206e82ec727de5d07604085058e85432e92cf7eba008686e657d5c346af15693

SHA512
f7d90e97c1586439a7ac1a0d183b537b07eded7ea8e2e7b2b2df324dcde0af4c830a34996fde66feadc7a5f48b327f246795c6e7f2de7901cc8cfa5a143ada1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
302KB

MD5
4ede86430c811fa91b82a1e9f5f2b950

SHA1
05ea534df91e8839ceff22c9a5e5cc3752340541

SHA256
0d936a6bd7241ef4366f1701198a8f41b5bbed8addb21724dfc7f9a5426ffd6f

SHA512
c7b888d82ce6279b33351b48cb53922051546ccfa3fc1294cf2f56ce4e980fe54f543c02a18d366c633b93f28abe366b090c3aab1ff7eba6eccb4d47c1aca418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
17157bad1eabe981e574879f913354a6

SHA1
2f17325797badded1e4112981d01b70b8b305149

SHA256
cc69db8a79ba67e75cd5591daf5372e8a25bf2e09a43729ab219ad2ff4c41a48

SHA512
6cbd7c64b1c642f84b17f34237a5b2731ca1ff153f5e5967da7f9965280155ddec5e8b2987a99751b0b8cfb5d8745b79c9ba615ba515cb013f3f2b3da3fa8d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
e097fa615a0fe726602c0aa8c1ae0f9a

SHA1
516b5add39d49402c3bcdf7a8dea3c969e972391

SHA256
2234da2f139630de74d9c486816fd276a05e5fe534dacfcb18deacdaf65dadf1

SHA512
8b0eaa6bf0ce2a482a2f40da316391e2a8256e676dbb18358ae75ee2bf5e475f7f1f3054cc8dba79e16056707a8f39781df6864fea1aa4ad865d753b7d64f8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
d2f0e0417327b1f1f400badb8df73056

SHA1
31682367743ef7bae8e60895c37390c1b1a5b035

SHA256
ea79d1f7b13c44462139bba4cbb0eba7cfd3a5d2e020321a39e21db4885007d1

SHA512
d14f5e3be68b249c413e98c60f43aabf2ac2d2fa6cbe44aab2bcf463119656c4480588c2ed12deb78a15943e28138a615ae4f52930a787d02cb95545f8be553a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580f9b.TMP

Filesize
82KB

MD5
c34a132b5afa56a99c86e6c9d5a7a251

SHA1
9ac7d312831d08f8e108d840031cb6279661bf8a

SHA256
3335ad700bd2b1cb2e62596b6a68550a7160498543969d062a0dc0c64c75c54f

SHA512
7a593c9d206e3f0ead8e402a878d975e493915070a8715e477f53eb2a60485cb63d11265cf599157ed9a241297276d88505792f14681769aad376479c409270c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\2b13332e8e.exe

Filesize
2.4MB

MD5
2eb3a55faf1758dcd3eb4444e2916f67

SHA1
9d1183f8d2fcb431f13f2623e7c5576f44f802c3

SHA256
73add53c5cd676a937a974e094fca30813967a8b5f436a9c3a66cbfeede62ced

SHA512
5efd160d602f7b677c7fa4879081883572ddac9d8206f035e4d06c1337ca4dbc00d23e8abec116f39f58c3eb2f59eea848c7ab61e052279d75d81fe3f1aea544

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\d891002705.exe

Filesize
2.3MB

MD5
67fa41ca85ba076c464f63cf7cf2973b

SHA1
836791dbd81943d26c87255dc5263b6bae89fd68

SHA256
55cb4e9e16bdc318decefc462626bfd7f92d438f20a290b22280377c8085615a

SHA512
f1274de83daee5a1e4fb1c1ee6ca1a813b4965d40cfa68f66aabe29ce4e494fae6444bf5e797c17b3c91482091cd8e4b3a03add456deafd016d5e0780a6649f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
5d8db7f0c0a8012c52645788c3b45bb3

SHA1
97dc9c3f109f7df727c53931f919a0fe12896382

SHA256
ca7e586c1c7da384c3568e0b85bc25eb40679eac1c5822020ae23479ce7792db

SHA512
1dbf1829315df0636b99bea3c83134726e382c1db2c78f32d38cac74c7b5617f2564abed6fe2920009fde682a01e79108f62b0ee0925645847de76cfdfb2e9e7

Download Submit
memory/1028-121-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1028-163-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1028-162-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1028-155-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1028-60-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1380-169-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-113-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-120-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-262-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-21-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-142-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-143-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-20-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-255-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-234-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-264-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-19-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-161-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-122-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-112-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-197-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-200-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-249-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-18-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-247-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-191-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1380-236-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1480-194-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/1480-196-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/3176-252-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/3176-254-0x0000000000930000-0x0000000000DD0000-memory.dmp

Filesize
4.6MB

Download
memory/3900-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

Filesize
184KB

Download
memory/3900-0-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/3900-5-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/3900-3-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/3900-1-0x0000000077E26000-0x0000000077E28000-memory.dmp

Filesize
8KB

Download
memory/3900-17-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/4932-172-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-164-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-246-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-235-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-248-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-210-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-250-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-192-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-154-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-153-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-256-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-42-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-263-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-119-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-198-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download
memory/4932-274-0x0000000000A70000-0x0000000001081000-memory.dmp

Filesize
6.1MB

Download