amadey | 10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
Size

1.8MB
MD5

5ed0e8668a858d9df9fb5580b05862cf
SHA1

0bceeaa17da374f934d4c4b05e82055535d41bf5
SHA256

10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd
SHA512

70fc9d26e2b47962b818ab021b28fc3a4ac79f01ef8359ecd69e8661dd2cc224966e820d8e73b25d76be3c75cd3c235a5f0e26848694506a16ebfa04d29f666d
SSDEEP

24576:0QoMJwZSHK/PoSDRLmATxzCoA1OIy7JQBruvAu+BSqjQBA6UAlLAFpUu3yU+vcVQ:3oawc4bRr7JQBruvqEBXUEQLi4aML

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4316b646ef.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	718d7c9630.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4316b646ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4316b646ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	718d7c9630.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	718d7c9630.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
3952	explortu.exe
3596	explortu.exe
3616	4316b646ef.exe
908	718d7c9630.exe
3256	explortu.exe
5012	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	4316b646ef.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	718d7c9630.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\4316b646ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\4316b646ef.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/908-157-0x0000000001000000-0x0000000001547000-memory.dmp	autoit_exe
behavioral2/memory/908-187-0x0000000001000000-0x0000000001547000-memory.dmp	autoit_exe
behavioral2/memory/908-193-0x0000000001000000-0x0000000001547000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
3952	explortu.exe
3596	explortu.exe
3616	4316b646ef.exe
908	718d7c9630.exe
3256	explortu.exe
5012	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 3596	3952	explortu.exe	78

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637254134089816"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
3952	explortu.exe
3952	explortu.exe
3596	explortu.exe
3596	explortu.exe
3616	4316b646ef.exe
3616	4316b646ef.exe
908	718d7c9630.exe
908	718d7c9630.exe
4240	chrome.exe
4240	chrome.exe
3256	explortu.exe
3256	explortu.exe
5012	explortu.exe
5012	explortu.exe
4872	chrome.exe
4872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
908	718d7c9630.exe
908	718d7c9630.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
908	718d7c9630.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
4240	chrome.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
908	718d7c9630.exe
908	718d7c9630.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
908	718d7c9630.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe
908	718d7c9630.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3952	4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe	77
PID 4576 wrote to memory of 3952	4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe	77
PID 4576 wrote to memory of 3952	4576	10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe	77
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3596	3952	explortu.exe	78
PID 3952 wrote to memory of 3616	3952	explortu.exe	79
PID 3952 wrote to memory of 3616	3952	explortu.exe	79
PID 3952 wrote to memory of 3616	3952	explortu.exe	79
PID 3952 wrote to memory of 908	3952	explortu.exe	80
PID 3952 wrote to memory of 908	3952	explortu.exe	80
PID 3952 wrote to memory of 908	3952	explortu.exe	80
PID 908 wrote to memory of 4240	908	718d7c9630.exe	81
PID 908 wrote to memory of 4240	908	718d7c9630.exe	81
PID 4240 wrote to memory of 4468	4240	chrome.exe	84
PID 4240 wrote to memory of 4468	4240	chrome.exe	84
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 1964	4240	chrome.exe	85
PID 4240 wrote to memory of 5112	4240	chrome.exe	86
PID 4240 wrote to memory of 5112	4240	chrome.exe	86
PID 4240 wrote to memory of 1436	4240	chrome.exe	87
PID 4240 wrote to memory of 1436	4240	chrome.exe	87
PID 4240 wrote to memory of 1436	4240	chrome.exe	87
PID 4240 wrote to memory of 1436	4240	chrome.exe	87
PID 4240 wrote to memory of 1436	4240	chrome.exe	87
PID 4240 wrote to memory of 1436	4240	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe
"C:\Users\Admin\AppData\Local\Temp\10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\1000016001\4316b646ef.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\4316b646ef.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\1000017001\718d7c9630.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\718d7c9630.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a5c4ab58,0x7ff9a5c4ab68,0x7ff9a5c4ab78
        5⤵
        
        PID:4468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:2
        5⤵
        
        PID:1964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:8
        5⤵
        
        PID:5112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:8
        5⤵
        
        PID:1436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:1
        5⤵
        
        PID:3156
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:1
        5⤵
        
        PID:3512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3440 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:1
        5⤵
        
        PID:4840
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:8
        5⤵
        
        PID:3232
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:8
        5⤵
        
        PID:4208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:8
        5⤵
        
        PID:5012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 --field-trial-handle=1808,i,8990382132781038547,3841906354244671605,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3198810d-4e04-4513-81a0-68f157f34d60.tmp

Filesize
271KB

MD5
19470c07b69a4d5d15492f559036de6e

SHA1
62f15c0be24c094eba50aa43de55bffe3105b814

SHA256
cb2bed335c3407dda1c44216942771f4e66e9c5ab71aecfef93cbe8e8e94f3ae

SHA512
7ab767a33595d970328b64cf715970bd4ecdb5d717866b8035c145444ebec99ae1be9b05d56f1a6cf7f29020af3a99fac9077d1e2c685701416bff0e26d25f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
72162f58a6da399b09c7ba8cd0f0c3be

SHA1
6a4b0b2dd9fc38bd41b8a8725668c890d77d56fd

SHA256
27a738e7652ac7f34b50cc9f9212e00a174400cd99cf34cd208fe97dc63d37cd

SHA512
39299eca0a824dd80ac791f9458c8f13eedbefffb3bf2074c5709d7240be65aa6a89aecc37813f46f0a3d06bc9975dcd5aa9ff3aba9f5b82da6140ded63225fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bc8ceaf86f111d844e840166bb78556a

SHA1
1ef5718ab8234a64ef342062f34b4f85eb6d81d1

SHA256
caac91e77e98462738f932670a13b4565fc9c7a631513094b1d57b356b055840

SHA512
2293a8e26eed47b4bf79ed4338b386a60aec76ab63f854264dd858eb90089f5bde75b5407a1d4540662a24be554dba884ec12b54ff132277607c19a21e41a477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4f2bcd89eb84e314db506a8c7c152b3d

SHA1
f6037887f55520c3af5ad62695fc2148c1993dba

SHA256
117403bc77ba04d16a7c9e44af7c6b11ed1b68f645dd54ce637e9d6ed8ce2c23

SHA512
1f3126cedee2a1b7ad042f08fb189e0f385408011ce42622b6268ffa8860410a8a19cbafdff19b9ecd067842046cf8db7d74bba36789a88a80735458bc3a0171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
d8ea006553ceaf89c82f20e602cb85a2

SHA1
39e3fcac2370aa44cba6f72b77e501acf61df452

SHA256
81aba700161affa6a322bc9025fbce809d12368f32f8d4df46f78c3a8e18fda6

SHA512
15300040a80007feac0c4997dfa9636d4a1bd5cc0e5c8d512de333b665ca9db2d0626daeed94fdb19d2aeb21bb071e4bba0b5595b3afb8f24e6d948cacba314a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e296c419b5091859fd3856529d95c475

SHA1
f7db0e6308f9172856514202b9ef5c28dc17f372

SHA256
f108fd10064a08f74606fdc36c9a1ebaf0a1cd07e4bbf05b9e61ab2580166c97

SHA512
a8bef71c08285ecaecdb56b6a5fe0bba40c3f8c5bc619e1905fc78682a77e63f197bae51b654968fdfe3efcd6796ea5c72e02ef7e62ac6e7a78b2ca4fad11cf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
dd9256666acc0e9e73e65a4a667e289d

SHA1
3f723f10a91af966edc87bf31c22bbfde1ebe1f2

SHA256
4276af030c2ae11878ae7854c5aec1bd4a3742a53a14c513ff8a03954d5b7445

SHA512
58dd5bb56425e7cca9b4f2aebc98f038a2fd84f25aa5f5697415c94be9b7b4c57dfd0c3f75d7e85d72b09d3908ef081b319d9af944076513b3f36afe03710246

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\4316b646ef.exe

Filesize
2.4MB

MD5
378b6827d35be7bed5543a62cca0ba79

SHA1
10875b3b4e02c2ae815233fb6bbed90e3df118eb

SHA256
c797f8a9a772429a944573cb5c13cf4a7dce006bedc73acd64375398d3290c7c

SHA512
34200a71445e904d7c0aa028dfb7a91dd83a318b4652a5b434ab14523ff717e70f5ffcf27d881268f9dac50ee86a19621df8e58e482f68a5df998ae40796fc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\718d7c9630.exe

Filesize
2.2MB

MD5
2de3ad5860d9cf34e3bf2b04dd4e6d31

SHA1
9316b90db20e5a5ad2ce5cf20159929cefd5dec1

SHA256
64ac85747beed5c81234bd6b4a56987ed1717920ff4d6ce2ff1bc608230dd915

SHA512
7520b0311cddd5858ffff667b9ae62ebc228bba2fdd14342ad114778c0df3dbf7f33d9cd80be4a62e321821e0d5990ca873a38360a2fa2fc7b7b126c89018331

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
5ed0e8668a858d9df9fb5580b05862cf

SHA1
0bceeaa17da374f934d4c4b05e82055535d41bf5

SHA256
10845e81e40f33980008efffc2275e8f2c9f6488d490175098eb1f058db917dd

SHA512
70fc9d26e2b47962b818ab021b28fc3a4ac79f01ef8359ecd69e8661dd2cc224966e820d8e73b25d76be3c75cd3c235a5f0e26848694506a16ebfa04d29f666d

Download Submit
memory/908-193-0x0000000001000000-0x0000000001547000-memory.dmp

Filesize
5.3MB

Download
memory/908-157-0x0000000001000000-0x0000000001547000-memory.dmp

Filesize
5.3MB

Download
memory/908-187-0x0000000001000000-0x0000000001547000-memory.dmp

Filesize
5.3MB

Download
memory/908-96-0x0000000001000000-0x0000000001547000-memory.dmp

Filesize
5.3MB

Download
memory/3256-177-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3256-174-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3596-38-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-27-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-31-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-36-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-24-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-40-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-42-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-44-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-45-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-46-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-50-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-51-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-54-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-56-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-57-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-58-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-55-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-53-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-49-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-48-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-47-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-41-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-43-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-39-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-37-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-52-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-34-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-35-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-28-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3596-33-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-32-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-30-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3596-29-0x0000000000400000-0x0000000000A07000-memory.dmp

Filesize
6.0MB

Download
memory/3616-195-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-241-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-239-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-155-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-77-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-237-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-235-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-233-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-213-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-210-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-208-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-197-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3616-179-0x00000000001D0000-0x00000000007DF000-memory.dmp

Filesize
6.1MB

Download
memory/3952-178-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-209-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-156-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-194-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-240-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-196-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-18-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-207-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-139-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-236-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-19-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

Filesize
184KB

Download
memory/3952-212-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-20-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-154-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-238-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-78-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-232-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-21-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/3952-234-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/4576-2-0x00000000003C1000-0x00000000003EF000-memory.dmp

Filesize
184KB

Download
memory/4576-0-0x00000000003C0000-0x000000000086E000-memory.dmp

Filesize
4.7MB

Download
memory/4576-5-0x00000000003C0000-0x000000000086E000-memory.dmp

Filesize
4.7MB

Download
memory/4576-17-0x00000000003C0000-0x000000000086E000-memory.dmp

Filesize
4.7MB

Download
memory/4576-3-0x00000000003C0000-0x000000000086E000-memory.dmp

Filesize
4.7MB

Download
memory/4576-1-0x0000000077A06000-0x0000000077A08000-memory.dmp

Filesize
8KB

Download
memory/5012-231-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download
memory/5012-229-0x0000000000DE0000-0x000000000128E000-memory.dmp

Filesize
4.7MB

Download