amadey | dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23/06/2024, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
Size

1.8MB
MD5

a8707270334007303c6fc1ab8978f43a
SHA1

ff629db999684f6cba25e3f092f6f4978d03be44
SHA256

dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb
SHA512

5ca180a94b8320d77a532bdc36b971614392de8186ac18845146c63a9377bd972295224b48d0fea12e082eb6c2b668f558c760475b2e62ba01e971703f97cddd
SSDEEP

49152:Ted37khpow96EV40tmJTSum8ccv9QkVkCt9:Te5lkITSuHikVdt

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5c7c612b3f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c64d03f13a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5c7c612b3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c64d03f13a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5c7c612b3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c64d03f13a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe

Executes dropped EXE 5 IoCs

pid	Process
1580	explortu.exe
1392	5c7c612b3f.exe
4136	c64d03f13a.exe
1568	explortu.exe
4192	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	5c7c612b3f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	c64d03f13a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\5c7c612b3f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\5c7c612b3f.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4136-120-0x0000000000560000-0x0000000000AC6000-memory.dmp	autoit_exe
behavioral2/memory/4136-153-0x0000000000560000-0x0000000000AC6000-memory.dmp	autoit_exe
behavioral2/memory/4136-161-0x0000000000560000-0x0000000000AC6000-memory.dmp	autoit_exe
behavioral2/memory/4136-162-0x0000000000560000-0x0000000000AC6000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
1580	explortu.exe
1392	5c7c612b3f.exe
4136	c64d03f13a.exe
1568	explortu.exe
4192	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636158873061366"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
1580	explortu.exe
1580	explortu.exe
1392	5c7c612b3f.exe
1392	5c7c612b3f.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
2904	chrome.exe
2904	chrome.exe
1568	explortu.exe
1568	explortu.exe
2904	chrome.exe
2904	chrome.exe
4192	explortu.exe
4192	explortu.exe
2932	chrome.exe
2932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeCreatePagefilePrivilege	2904	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
4136	c64d03f13a.exe
2904	chrome.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe
4136	c64d03f13a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 1580	4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe	81
PID 4556 wrote to memory of 1580	4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe	81
PID 4556 wrote to memory of 1580	4556	dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe	81
PID 1580 wrote to memory of 2844	1580	explortu.exe	82
PID 1580 wrote to memory of 2844	1580	explortu.exe	82
PID 1580 wrote to memory of 2844	1580	explortu.exe	82
PID 1580 wrote to memory of 1392	1580	explortu.exe	83
PID 1580 wrote to memory of 1392	1580	explortu.exe	83
PID 1580 wrote to memory of 1392	1580	explortu.exe	83
PID 1580 wrote to memory of 4136	1580	explortu.exe	84
PID 1580 wrote to memory of 4136	1580	explortu.exe	84
PID 1580 wrote to memory of 4136	1580	explortu.exe	84
PID 4136 wrote to memory of 2904	4136	c64d03f13a.exe	85
PID 4136 wrote to memory of 2904	4136	c64d03f13a.exe	85
PID 2904 wrote to memory of 2900	2904	chrome.exe	88
PID 2904 wrote to memory of 2900	2904	chrome.exe	88
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 4204	2904	chrome.exe	89
PID 2904 wrote to memory of 2972	2904	chrome.exe	90
PID 2904 wrote to memory of 2972	2904	chrome.exe	90
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91
PID 2904 wrote to memory of 3988	2904	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe
"C:\Users\Admin\AppData\Local\Temp\dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\1000016001\5c7c612b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\5c7c612b3f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\1000017001\c64d03f13a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\c64d03f13a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbfb65ab58,0x7ffbfb65ab68,0x7ffbfb65ab78
        5⤵
        
        PID:2900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:2
        5⤵
        
        PID:4204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:2972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:3988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:1
        5⤵
        
        PID:2816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:1
        5⤵
        
        PID:2064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:1
        5⤵
        
        PID:4132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:2632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:4556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:2088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:8
        5⤵
        
        PID:4584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4068 --field-trial-handle=1840,i,12908668795151571304,2965189788979667308,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
840a4a670a9aab62104f74d1b9c42627

SHA1
2ed1a3a9020873d73971a5e6936e390b84875670

SHA256
8b4d7105a26ee675a3a077d9bb801844015c415b6656f00276de637b38c40aa4

SHA512
233517d85a17db9917faeb2e6ab1af4eb2c90fd4124f8fa617d1ce7d8cbea345295bb1db5c7f26de8f3a9d1160869bc417ac9dbda93f9a234e9be4148c210ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
02bb21f5404cf7f54c364fc3dac9c7e1

SHA1
121a4e9b76b8c42e677ca896e03ce52754d25db4

SHA256
a9442303cf93a79cc29430b51b22d1648aa5e4ce5eb1d7bd4074834830b9f9bc

SHA512
e2f09f3b4991f1e13a8c5bbb5e9b2721fdd77fdac33fb37a2de5da0d2632177f7fbbb9786c7e540b3c4543dc15af45f0bd1756a2e491a78eaaa5d7be62b533a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7b25b9ab3d2f693cfc2cbf0454160302

SHA1
2f739e4f846352bc27244b666b053dc86a4345bc

SHA256
2ee25abdf16d6d4c7879b3ffa0c11d054c0e7bec0bc06a6e7ac01fb992e07a4f

SHA512
5bf3b1ba64209884a1dbbde82ac5c3de9c7f9482af38b7d416ff8fc35d9c88ff64bd15a08e403fabb9f9ade4e313c6f274f484c53a4eacdaa89e7afd0fab2f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
1af0d7ef7159de36e27f64770c1d54f8

SHA1
0702969941e2795fd184d9723de517c4ee77b0c0

SHA256
fadb0a79246bc482abc4e230283cdef66c81e23c54212f50b793dea837d9fd67

SHA512
076ca2875a9d9524c514d1621f5edd9a23224ecd735bb6c141ce41b419e7b5e63e6a046cd498d15c794aa6cba3eee414d4509c9bf010c0aa6cf9ea47d636ed53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8c0114b5b8cd17b5545f8c9d2309778f

SHA1
4b8dbf5247badc03682e69520812a5328121e1ae

SHA256
4d19741a95b3c0b8235db091324277936276ed8d3d0326c3ff15caa1fee7ecba

SHA512
8aea1081c41ebfe95bdc393ec65003202b4461cc8c00c0338590e10cae760a5688380bd96b2a220c124c34985140f839b008d6b7ca7d313f6cea20230976ef18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c0cad1744bb215ad98e8ebd034c9100c

SHA1
3336e7404c50253f1ce4ad81a9946ed22555009f

SHA256
239bae94790f772f05c8dbf06396424fe65bbbe9a8a767a211e49cce93a2671e

SHA512
0925a531a7775bd3c09572aed0433a53c7c0e83a1d1927dab435ba027c737aa806664930affcceb53cd812612a6c6cd00371f191e1d2e160afc86a4c65090382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
a1b07c3dbd163b9c646e23bd32084ef2

SHA1
3b06661dcfc8d13711d7ff04a0fd8fd667cf59bd

SHA256
4b81f077a5240aef0c7f768bd8ac083dd3cf8db71d4cefadceb850f6b008bf69

SHA512
49501ad8100f318d2ff00f607100691f0f9023160a56d76afea27e52dc8f89a1baac452261e004bcae554c0c1eb832717fe1490a36626df3004de51bd0f39375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
316KB

MD5
2594252680b6085b5f656ec004e57048

SHA1
484a9e879f73e415d527077fa9528de2775a169f

SHA256
cb88f759ef62fc33a0cefc3f323cc87d117a3149253edee8267f59b2bf35efea

SHA512
6c1aab4e0d7a2c47da7bd85d39e19bd996f538cc0e8c410976b06495cd9afefa080d796f0d2be19fc1291d8af44c3df606a0ba6c5fdc2c1bd8e9a9513ce7709d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
cd762f9c6f1b304134bcf714596e1e5a

SHA1
dc6aef6555064308bc9181bc5c902ec9c19d141c

SHA256
905a1fe97cca2431dfb398c66037a50878b754a369d80df066af61102c3fd1d6

SHA512
0206ae4aca126dccc6c088b752cd1b41df9c2eb79dca6ec84ec903d2d43808d5bee53ef7e75276761b1f7dd8f174e8b65d0ec16136fd3dfa8fdb4c54724afc2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
d399f7509325253f20dca7c9bd2c4d76

SHA1
dcf78ebf4973dea1b7c45a3902215a7eaa3dc187

SHA256
889c26e416076f62ed45b1198b52b2c30c29b7ae982e45de4de53dfe2db1a118

SHA512
461cb01a5697a30add5ffe4e38c1f19fef06132aac8219bb86b371626ebc76592fa8142382513ffaaf9f651dc089858b68130538150da883a3ea689c46cf2198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
859df479abc82342e394d32504e7425d

SHA1
eb18fb5658a8d38e89af0c57556ee1961db612d7

SHA256
cb05cd834cc15a5d086e7b33e7ce67750e569585fd67df33bb140b903ae401a9

SHA512
546d33f6f61311d4ad8092dd54cb4293579492d24d309996a90cd9eae38429e39a056952ddfadcd29cedaadf2211ca630aeb56808604b7a1af20a0dec0db6ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5806f0.TMP

Filesize
82KB

MD5
6e8d04588a98effebe1f5059dd9e5672

SHA1
4e70e824c2f7a9e7e53a4c627da3e3c11a949d00

SHA256
63c408a28a1bd42c1a066577f2eaee73f3dc4949b08e860fcefacbc89e6da683

SHA512
1fb1df4482649aa12402cb6d10f6da8eb752f70533e94a1424698ad02239b2a99c254026d17622242e058bb794545babd583a793a75685c1f6d3d59ccdd30c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\5c7c612b3f.exe

Filesize
2.4MB

MD5
ccb1a7f6ca5cc76bdd2675771b5ca626

SHA1
114b9d898f0050db7f03ec982251cc3aa77c312b

SHA256
db80ceb2d05e827f26a32f82ca37a2ac9254a2b894d901bc4f6bbe4d83de2504

SHA512
1192ed72fd835bb0403a6a305649c0809bd77a9129f4edaf9a4d07793a01ab68f58773a846c975d66d2f1c51998aa0cddb3673008fc18311b7f14ba1c514b041

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\c64d03f13a.exe

Filesize
2.3MB

MD5
f2919adcf551238270aee051002030ee

SHA1
ed08d5f622548975869c8b5b6932d1b4f651564b

SHA256
44f043047a39e6c5c4d382a85dd6921d456ac18d89d1a4856c5e894e4d44173a

SHA512
437ed9206341a8eb1a755c0c2202b673cb59affafd20e380ffde2a0b21cb7b2236011d18a703dfe614fe3e0d6e68807d895c4916364f39699bd0c5a0ecb27178

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
a8707270334007303c6fc1ab8978f43a

SHA1
ff629db999684f6cba25e3f092f6f4978d03be44

SHA256
dc74a71aa39ba7b080e4f20f037eeb7c997592c58ac6d1ff5bbc584dfd6d9aeb

SHA512
5ca180a94b8320d77a532bdc36b971614392de8186ac18845146c63a9377bd972295224b48d0fea12e082eb6c2b668f558c760475b2e62ba01e971703f97cddd

Download Submit
memory/1392-234-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-248-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-273-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-119-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-262-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-43-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-42-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-255-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-253-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-163-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-245-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-209-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-152-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-154-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-197-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-195-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1392-172-0x00000000001F0000-0x00000000007FC000-memory.dmp

Filesize
6.0MB

Download
memory/1568-173-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1568-175-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-194-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-140-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-118-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-272-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-160-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-261-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-17-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-21-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-19-0x0000000000721000-0x000000000074F000-memory.dmp

Filesize
184KB

Download
memory/1580-196-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-254-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-208-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-151-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-168-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-252-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-233-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-20-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-246-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-244-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/1580-150-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/4136-120-0x0000000000560000-0x0000000000AC6000-memory.dmp

Filesize
5.4MB

Download
memory/4136-153-0x0000000000560000-0x0000000000AC6000-memory.dmp

Filesize
5.4MB

Download
memory/4136-61-0x0000000000560000-0x0000000000AC6000-memory.dmp

Filesize
5.4MB

Download
memory/4136-161-0x0000000000560000-0x0000000000AC6000-memory.dmp

Filesize
5.4MB

Download
memory/4136-162-0x0000000000560000-0x0000000000AC6000-memory.dmp

Filesize
5.4MB

Download
memory/4192-249-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/4192-251-0x0000000000720000-0x0000000000BD3000-memory.dmp

Filesize
4.7MB

Download
memory/4556-0-0x0000000000390000-0x0000000000843000-memory.dmp

Filesize
4.7MB

Download
memory/4556-3-0x0000000000390000-0x0000000000843000-memory.dmp

Filesize
4.7MB

Download
memory/4556-5-0x0000000000390000-0x0000000000843000-memory.dmp

Filesize
4.7MB

Download
memory/4556-16-0x0000000000390000-0x0000000000843000-memory.dmp

Filesize
4.7MB

Download
memory/4556-2-0x0000000000391000-0x00000000003BF000-memory.dmp

Filesize
184KB

Download
memory/4556-1-0x0000000077E26000-0x0000000077E28000-memory.dmp

Filesize
8KB

Download