amadey | 2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68

Analysis

max time kernel
149s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23/06/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
Size

1.8MB
MD5

c7a009c46b4fe26f2096f60bed34ec5c
SHA1

c234aaadce392af45117566af537133be7e36ff4
SHA256

2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68
SHA512

c02238e9d104439be653d6843528b0ecc878ccb35281d6645c1ac42fe6213098b77d391d61441c0bed4e4c59bd4a3f29fdb569caefe1ad691963fc24230676db
SSDEEP

49152:+u19N7vN2Vmn+E3czo66sNohI1hCclz7vYFfy:+u1hIBAUo66sNohI1hCk7AJy

Score

10^/10

amadey risepro 0e6740 evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	32c5c58400.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8e3d103d2c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8e3d103d2c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8e3d103d2c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	32c5c58400.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	32c5c58400.exe

Executes dropped EXE 7 IoCs

pid	Process
572	explortu.exe
2372	explortu.exe
2780	explortu.exe
2108	32c5c58400.exe
4656	8e3d103d2c.exe
1948	explortu.exe
4936	explortu.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	32c5c58400.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	8e3d103d2c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4656-155-0x0000000000FA0000-0x0000000001504000-memory.dmp	autoit_exe
behavioral2/memory/4656-188-0x0000000000FA0000-0x0000000001504000-memory.dmp	autoit_exe
behavioral2/memory/4656-189-0x0000000000FA0000-0x0000000001504000-memory.dmp	autoit_exe
behavioral2/memory/4656-190-0x0000000000FA0000-0x0000000001504000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
572	explortu.exe
2372	explortu.exe
2780	explortu.exe
2108	32c5c58400.exe
4656	8e3d103d2c.exe
1948	explortu.exe
4936	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 2780	572	explortu.exe	81

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635925922502315"	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
572	explortu.exe
572	explortu.exe
2372	explortu.exe
2372	explortu.exe
2780	explortu.exe
2780	explortu.exe
2108	32c5c58400.exe
2108	32c5c58400.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
2100	chrome.exe
2100	chrome.exe
1948	explortu.exe
1948	explortu.exe
4936	explortu.exe
4936	explortu.exe
1532	chrome.exe
1532	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
4656	8e3d103d2c.exe
2100	chrome.exe
4656	8e3d103d2c.exe
2100	chrome.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe
4656	8e3d103d2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 572	1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe	80
PID 1952 wrote to memory of 572	1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe	80
PID 1952 wrote to memory of 572	1952	2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe	80
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2780	572	explortu.exe	81
PID 572 wrote to memory of 2108	572	explortu.exe	83
PID 572 wrote to memory of 2108	572	explortu.exe	83
PID 572 wrote to memory of 2108	572	explortu.exe	83
PID 572 wrote to memory of 4656	572	explortu.exe	84
PID 572 wrote to memory of 4656	572	explortu.exe	84
PID 572 wrote to memory of 4656	572	explortu.exe	84
PID 4656 wrote to memory of 2100	4656	8e3d103d2c.exe	85
PID 4656 wrote to memory of 2100	4656	8e3d103d2c.exe	85
PID 2100 wrote to memory of 3560	2100	chrome.exe	88
PID 2100 wrote to memory of 3560	2100	chrome.exe	88
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 1484	2100	chrome.exe	89
PID 2100 wrote to memory of 4976	2100	chrome.exe	90
PID 2100 wrote to memory of 4976	2100	chrome.exe	90
PID 2100 wrote to memory of 1096	2100	chrome.exe	91
PID 2100 wrote to memory of 1096	2100	chrome.exe	91
PID 2100 wrote to memory of 1096	2100	chrome.exe	91
PID 2100 wrote to memory of 1096	2100	chrome.exe	91
PID 2100 wrote to memory of 1096	2100	chrome.exe	91
PID 2100 wrote to memory of 1096	2100	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
"C:\Users\Admin\AppData\Local\Temp\2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\1000016001\32c5c58400.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\32c5c58400.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\1000017001\8e3d103d2c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\8e3d103d2c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8072cab58,0x7ff8072cab68,0x7ff8072cab78
        5⤵
        
        PID:3560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:2
        5⤵
        
        PID:1484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:8
        5⤵
        
        PID:4976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:8
        5⤵
        
        PID:1096
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:1
        5⤵
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:1
        5⤵
        
        PID:3440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:1
        5⤵
        
        PID:5072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:8
        5⤵
        
        PID:4992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:8
        5⤵
        
        PID:1668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:8
        5⤵
        
        PID:2424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1840,i,10207143996557191642,15410268122674380470,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7b9ac28e7482d1e9d42f95df6db6e779

SHA1
153b2983d0d66b0e6f8efdc212edf82b7c241e4a

SHA256
e9a9370797574c950721decf2ae9ece15b62667419fc9110c7bde8465b700d7f

SHA512
2e9b1da8d2d64d2ad258e9d4b7cc9d57a62d7227435ae4bc58e6bf03d217040fd18853775b8a98bbc7282cd19da0540ab5d4ce870a45dbf03959b70a715bfada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2f95aacf1fce83f49329faab0a981dea

SHA1
76f719d1047b1fbe1e84a8f7a46805eb3ace07cf

SHA256
2ce3636848f9ed5bef09eae11dfbbfbf9bf986129aa68f21faafc47b5b7c8707

SHA512
7dd44cdbc0d5770ec7b7c3bc3d0ead952ef4b38a6ba1154da1d461042c89d844eaa17f81530154ef2e0d1fa62e26eb3fcb2f3007f195d5460975fac25e1c18bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d78a79bea851705cb9696ad418855456

SHA1
32af0c0870768f2a4510bd2b6c1d1609e84f9d94

SHA256
f6b2d5b5f087c13965f818cacc3fdbf629ffd624d5b316c2cb4d5eb82f91b20a

SHA512
c710e7592e0aec71233cbbac43ca2306572dc4c4a586b43722fc400060562280d1f9761effe75f0f88926e5c4bd78a79117ec4925ce1bb4e2824e9ad4faa277a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
7ee5dbb6a17a714897e52058be591027

SHA1
25ed2db46567081a168fdff39bfa7d15093c98b1

SHA256
1a8ce7254d37a147e36c747d575086deb670ac5e532a3b5d053da66daba176b0

SHA512
72724f69670413df3ec5f989003c4b3d4a0b3413c873508820895641efaf30d9ba5376c890f96e81d86ddfe637ca10a91834ee95be993ac937487e8b6b6a3000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
820c92c98e5cc861d22053dcf239fd84

SHA1
c4ab632e0d3cbd9dd70fba8c15941b8444005ff6

SHA256
2efb0f3c88698dab721b28f6cb4fc97647d015d175e7553b7d17cd15e9d45482

SHA512
a1c05914e879c0cec56ea18a303c8d4b5d9141715c62c2a416d3461009f562232dd60b48473d8e59763d549ea99719727ac85f59a75b67234d7fdbf254e4e516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
442703b390d7c02c2c4ad8fbe00045d4

SHA1
888c152db1a1d2e3651cf691dc53a60a23fd443c

SHA256
bd4927f0a894fc202c7c57aadb92f709672c62c24626cf175f7e9b8656043092

SHA512
6a6a8453a00ec92820cb319bb7aa386fbf1b09bf6f616410eeebf9f88ea2794ed893d34b6d8561ea54acef8dcbaf06bc49b268d9be518a057198dc45b8b111e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
4a2c133b3e182d3d675e719ee6f4aa75

SHA1
00836d2b3870fea7886672f7e2bdcc2fe1db1f4c

SHA256
9c80553f9f1f57b9190df9755d05f32ebbf165be45af066466a468c5875ff753

SHA512
9b1aa931e9bfbc6fe5236f230b6e6ae90cf2f61623755855920b3dbd8b4dac93cf2351e3d3bb93bc868edf5a8afc18a29e5bac5fbea360969a94e79af33b5d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\32c5c58400.exe

Filesize
2.4MB

MD5
4793141479e5bf1b051e4ee32644c502

SHA1
efc700b401b6dfa0facf9836f6a16f35ddcc0690

SHA256
48e4cb62fb5f994fb229e18f3f237d3a55cf84ae3934908b34a58cba1fdbaa4c

SHA512
a077f404ac1fcd80c6169aa64d33b18a96ea8d0196d9d109cae8bb5da2a698d8683a9e6168ec502d1d203af2af69fb4a2a41a62375e173cc95ef05893595ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\8e3d103d2c.exe

Filesize
2.3MB

MD5
d73636e05ef7b39f35123cff48ef22ee

SHA1
8202c02a82f7c4a94122bb3b98810c739f020bae

SHA256
c0dc88cc34916d03aa1236957cb78601af4b565bd2e604f1f6678cc47e70c2e2

SHA512
f14b152c732e4798a29882097ca87d56a1ba18484e3c67d2d49f4ba51b01c4f4bcde04ced09112c87cc9a16d17ceca818ccb48d2f6026a2415799ac91d93c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
c7a009c46b4fe26f2096f60bed34ec5c

SHA1
c234aaadce392af45117566af537133be7e36ff4

SHA256
2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68

SHA512
c02238e9d104439be653d6843528b0ecc878ccb35281d6645c1ac42fe6213098b77d391d61441c0bed4e4c59bd4a3f29fdb569caefe1ad691963fc24230676db

Download Submit
memory/572-181-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-20-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-99-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-239-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-235-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-154-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-156-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-232-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-18-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-230-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-19-0x0000000000BB1000-0x0000000000BDF000-memory.dmp

Filesize
184KB

Download
memory/572-193-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-228-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-152-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-21-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-212-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-191-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-209-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/572-205-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/1948-207-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/1948-208-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/1952-0-0x00000000001A0000-0x0000000000642000-memory.dmp

Filesize
4.6MB

Download
memory/1952-3-0x00000000001A0000-0x0000000000642000-memory.dmp

Filesize
4.6MB

Download
memory/1952-1-0x0000000077766000-0x0000000077768000-memory.dmp

Filesize
8KB

Download
memory/1952-2-0x00000000001A1000-0x00000000001CF000-memory.dmp

Filesize
184KB

Download
memory/1952-5-0x00000000001A0000-0x0000000000642000-memory.dmp

Filesize
4.6MB

Download
memory/1952-17-0x00000000001A0000-0x0000000000642000-memory.dmp

Filesize
4.6MB

Download
memory/2108-210-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-194-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-204-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-229-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-231-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-213-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-192-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-234-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-182-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-81-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-233-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2108-153-0x0000000000360000-0x000000000096D000-memory.dmp

Filesize
6.1MB

Download
memory/2372-26-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/2372-25-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/2372-27-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/2780-48-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-49-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-70-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-68-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-31-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-69-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-67-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-66-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-50-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-53-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-52-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-56-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-28-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-32-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/2780-33-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-57-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-55-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-54-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-51-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-35-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-36-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-39-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-37-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-38-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-41-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-43-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-40-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-44-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-45-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-47-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-46-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-42-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/2780-34-0x0000000000400000-0x00000000009EE000-memory.dmp

Filesize
5.9MB

Download
memory/4656-100-0x0000000000FA0000-0x0000000001504000-memory.dmp

Filesize
5.4MB

Download
memory/4656-190-0x0000000000FA0000-0x0000000001504000-memory.dmp

Filesize
5.4MB

Download
memory/4656-189-0x0000000000FA0000-0x0000000001504000-memory.dmp

Filesize
5.4MB

Download
memory/4656-188-0x0000000000FA0000-0x0000000001504000-memory.dmp

Filesize
5.4MB

Download
memory/4656-155-0x0000000000FA0000-0x0000000001504000-memory.dmp

Filesize
5.4MB

Download
memory/4936-237-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download
memory/4936-238-0x0000000000BB0000-0x0000000001052000-memory.dmp

Filesize
4.6MB

Download