amadey | 6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
Size

1.8MB
MD5

72b16159bfac85a580459718c216c6ef
SHA1

5c5c833680f7ee229e75c84fd6f5e29c6276894e
SHA256

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7
SHA512

d4a922c3930b3c16b8ea0351e92c17e5081c559baafa26096c046429240e3fc73ef05c4bb2fab9e4478e39c126582761e15814aa3b1320a78a727e1249e1a233
SSDEEP

49152:biOTAKmudjXlE6g1jKYdGRn9F1F2i8SQBYGyiSEXX:biOTAKmudK9mN171F6AYBX

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exee65d1f04b2.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e65d1f04b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

6 4064 rundll32.exe
7 1104 rundll32.exe
9 5076 rundll32.exe
11 3852 rundll32.exe
Downloads MZ/PE file

flow	pid	process
6	4064	rundll32.exe
7	1104	rundll32.exe
9	5076	rundll32.exe
11	3852	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorha.exee65d1f04b2.exe6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e65d1f04b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e65d1f04b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 8 IoCs

Processes:

explorha.exee65d1f04b2.exeexplorha.exelumma21.exeexplorha.exechrosha.exeexplorha.exeexplorha.exe

pid process

2396 explorha.exe
2804 e65d1f04b2.exe
388 explorha.exe
4808 lumma21.exe
4188 explorha.exe
4520 chrosha.exe
1388 explorha.exe
3800 explorha.exe

pid	process
2396	explorha.exe
2804	e65d1f04b2.exe
388	explorha.exe
4808	lumma21.exe
4188	explorha.exe
4520	chrosha.exe
1388	explorha.exe
3800	explorha.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exee65d1f04b2.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	e65d1f04b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4724 rundll32.exe
4064 rundll32.exe
1104 rundll32.exe
128 rundll32.exe
5076 rundll32.exe
3852 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4724	rundll32.exe
4064	rundll32.exe
1104	rundll32.exe
128	rundll32.exe
5076	rundll32.exe
3852	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\e65d1f04b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\e65d1f04b2.exe"	explorha.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exe

pid process

4588 6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
2396 explorha.exe
4188 explorha.exe
1388 explorha.exe
3800 explorha.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 2396 set thread context of 388 2396 explorha.exe explorha.exe

description	pid	process	target process
PID 2396 set thread context of 388	2396	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

lumma21.exe6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe
File created	C:\Windows\Tasks\explorha.job	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exeexplorha.exerundll32.exepowershell.exeexplorha.exerundll32.exepowershell.exeexplorha.exe

pid	process
4588	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
4588	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
2396	explorha.exe
2396	explorha.exe
4188	explorha.exe
4188	explorha.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
1800	powershell.exe
1800	powershell.exe
1388	explorha.exe
1388	explorha.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
3288	powershell.exe
3288	powershell.exe
3800	explorha.exe
3800	explorha.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1800 powershell.exe
Token: SeDebugPrivilege 3288 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe

pid process

4588 6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe

description	pid	process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exeexplorha.exerundll32.exerundll32.exechrosha.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4588 wrote to memory of 2396	4588	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe	explorha.exe
PID 4588 wrote to memory of 2396	4588	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe	explorha.exe
PID 4588 wrote to memory of 2396	4588	6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe	explorha.exe
PID 2396 wrote to memory of 2804	2396	explorha.exe	e65d1f04b2.exe
PID 2396 wrote to memory of 2804	2396	explorha.exe	e65d1f04b2.exe
PID 2396 wrote to memory of 2804	2396	explorha.exe	e65d1f04b2.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 388	2396	explorha.exe	explorha.exe
PID 2396 wrote to memory of 4808	2396	explorha.exe	lumma21.exe
PID 2396 wrote to memory of 4808	2396	explorha.exe	lumma21.exe
PID 2396 wrote to memory of 4808	2396	explorha.exe	lumma21.exe
PID 2396 wrote to memory of 4724	2396	explorha.exe	rundll32.exe
PID 2396 wrote to memory of 4724	2396	explorha.exe	rundll32.exe
PID 2396 wrote to memory of 4724	2396	explorha.exe	rundll32.exe
PID 4724 wrote to memory of 4064	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 4064	4724	rundll32.exe	rundll32.exe
PID 4064 wrote to memory of 2316	4064	rundll32.exe	netsh.exe
PID 4064 wrote to memory of 2316	4064	rundll32.exe	netsh.exe
PID 4064 wrote to memory of 1800	4064	rundll32.exe	powershell.exe
PID 4064 wrote to memory of 1800	4064	rundll32.exe	powershell.exe
PID 2396 wrote to memory of 1104	2396	explorha.exe	rundll32.exe
PID 2396 wrote to memory of 1104	2396	explorha.exe	rundll32.exe
PID 2396 wrote to memory of 1104	2396	explorha.exe	rundll32.exe
PID 4520 wrote to memory of 128	4520	chrosha.exe	rundll32.exe
PID 4520 wrote to memory of 128	4520	chrosha.exe	rundll32.exe
PID 4520 wrote to memory of 128	4520	chrosha.exe	rundll32.exe
PID 128 wrote to memory of 5076	128	rundll32.exe	rundll32.exe
PID 128 wrote to memory of 5076	128	rundll32.exe	rundll32.exe
PID 5076 wrote to memory of 2320	5076	rundll32.exe	netsh.exe
PID 5076 wrote to memory of 2320	5076	rundll32.exe	netsh.exe
PID 5076 wrote to memory of 3288	5076	rundll32.exe	powershell.exe
PID 5076 wrote to memory of 3288	5076	rundll32.exe	powershell.exe
PID 4520 wrote to memory of 3852	4520	chrosha.exe	rundll32.exe
PID 4520 wrote to memory of 3852	4520	chrosha.exe	rundll32.exe
PID 4520 wrote to memory of 3852	4520	chrosha.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe
"C:\Users\Admin\AppData\Local\Temp\6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\1000022001\e65d1f04b2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000022001\e65d1f04b2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4808
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1104

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:128
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3288
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3852

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d0a491debdaef78b8d5662c9baa209d

SHA1
6aafccf0d3ec78adffd63419be80ecca1c504f79

SHA256
5699d20559e534de556496e6411b71394639777508c309354cc4754af1cb6840

SHA512
3a321d4149a878efc518cb4dab63427b4c3b963f7ae07653e2dfbfd9a01b25f9b9876098a093b4db69bdd4e2de6203ff7a1ac8afe298d9f764fb79729861e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
72b16159bfac85a580459718c216c6ef

SHA1
5c5c833680f7ee229e75c84fd6f5e29c6276894e

SHA256
6a71731a81417cf52a67f7e70e81457e2164dc20c41d70845e9e8d1537c3fed7

SHA512
d4a922c3930b3c16b8ea0351e92c17e5081c559baafa26096c046429240e3fc73ef05c4bb2fab9e4478e39c126582761e15814aa3b1320a78a727e1249e1a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.7MB

MD5
4db649ffc425ac6237be98a0d576a43a

SHA1
75021d8f7f930fc585e7196868e9a83b1c0be71c

SHA256
984b9477b6989f1e89c7411120c07e06540bf443f8d83c972b2c8b8b0cfbf80f

SHA512
c587d014db62c961b94a0f845bc7c60ebef1a80e54da1682eb039d9cf97ae0ea915f687aca3184e79c2df0d54fb80aa2b925d973859e6b0ee31daeb14f65de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.1MB

MD5
f3dce2ac9850d4e2c683afbae2858a5a

SHA1
325fe904e3f8d97b2cd378adf7c1c0303f0f3d44

SHA256
c8e60643199e773efac0e432ebd84a6343c1091268a934cb9a6a73897da81b29

SHA512
ff0516579ee37480480c5c6df38bd0addf5c16d1f781ac1e4aede6c93214123543879dd3c4fe62c1a7602b57da5aa98f8525881274710f2ce4b7e8b501dcc880

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
502KB

MD5
f582b7878f15958403750d36e3f3ef7e

SHA1
605afd75155290b42120761e7d34a4f0f61a7179

SHA256
5a8a6e29c288ea74640d30a498a3839e53a34f83a963302bc97195e819e51599

SHA512
eb002dc71bd5b725f79864f9d50ce2bd3baa06fcd83f8c4aec55a44cd2121640b53c161a08889d6d5f4cdf05da34d0b4941361ff2950b87df17f0129be406495

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\e65d1f04b2.exe

Filesize
2.9MB

MD5
a5e16abafdc25136e48dce526c50320c

SHA1
8a4b9c26b50ed2b1dfaf63bee367bf1c72b14921

SHA256
48e87a84f57588698322c5364642d446c225c56b15ac4b150f42602ffcf8b0a6

SHA512
c3c8c4547dd44ef00a3e5fb9cebd3355b5c96d2780bd5338ac6acd745ab164cbcc554985976e3b067ab61a22f0e9bc43cf0d51476a1139fb6838667a900266f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wak3pflr.2vj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
364KB

MD5
c0378467552b5cbaf1d93e6738c72a82

SHA1
0c985fa1f603f45f7fe5aeddca3bda03e17741d2

SHA256
f51b8abf7bc75aeb50cd821cfbcb124b639af3746df1df5a8db00d642c69eb71

SHA512
c570162f27f45d9ae2aba799a560aa382dc0bf385eb3d927f10027e84d7070fc9be8833541374f6cffd8d3af66c84576875439ee333a3a03c311e4bcb1bd11d7

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
254KB

MD5
634440ac02ce591c4e95a824ff121ad4

SHA1
deb2aa4a70e0c3f831ba23482d789f677cf6b5b0

SHA256
40fc8bc29d8d7913a8bb118b31da945e8321fbe8a0fd45cf9107c6589428be15

SHA512
c8dc8feb0309c33c6078f666295533857652c87a08f6c7f01710ec5a870405c1fc9b6e56c8d1db857041d8b353f885cff2c7146838365e7cf83be15476e22146

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
325KB

MD5
caa77dc82e00734542cee13e6de720ed

SHA1
37c643950094054c9649cdc2e7c48f80580dada5

SHA256
5d104c9e6c24b12946ecec31aa1e8a4dcde809d1a3d32e8d76b5ff622a48d477

SHA512
4e523ba370a394cc85340bbf6d1625a192f11eb590aa5faa4b65c3b617986651cc7d03d03ce1f8971f8b715cdca33306f3c71c81b261bc67c751295e0d5d5077

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
305KB

MD5
2b85651c6ddd0876983a827c2b7f026a

SHA1
3d56c6cc9ac1308c497124470dfedf2871aa303f

SHA256
2f6efb428e3f87527e0a5b6f6afa995144062f94c14bf9394579fc5820a03f75

SHA512
1252503017b64dac240c80ceb3e96520d8c71a3a5c000a1f21bc7d5a3b156e4a19730e0d638e3c44eb237026d94d95fa7bbc3a0dfdd58af67778563251d461ab

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/388-95-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-94-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-165-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-100-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-104-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-118-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-117-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-116-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-115-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-114-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-112-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-56-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-59-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/388-109-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-60-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-61-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-62-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-63-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-64-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-65-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-66-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-67-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-107-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-76-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-77-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-85-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-86-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-97-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-89-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-90-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-93-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-91-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/388-92-0x0000000000400000-0x00000000008F9000-memory.dmp

Filesize
5.0MB

Download
memory/1388-185-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/1388-184-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1388-179-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/1388-180-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1388-181-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1388-182-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1388-183-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1388-178-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/1800-137-0x00000203A4EB0000-0x00000203A4ED2000-memory.dmp

Filesize
136KB

Download
memory/1800-145-0x00000203A5160000-0x00000203A5172000-memory.dmp

Filesize
72KB

Download
memory/1800-152-0x00007FFCFB590000-0x00007FFCFC052000-memory.dmp

Filesize
10.8MB

Download
memory/1800-146-0x00000203A5140000-0x00000203A514A000-memory.dmp

Filesize
40KB

Download
memory/1800-142-0x00000203A4E30000-0x00000203A4E40000-memory.dmp

Filesize
64KB

Download
memory/1800-143-0x00000203A4E30000-0x00000203A4E40000-memory.dmp

Filesize
64KB

Download
memory/1800-144-0x00000203A4E30000-0x00000203A4E40000-memory.dmp

Filesize
64KB

Download
memory/1800-141-0x00007FFCFB590000-0x00007FFCFC052000-memory.dmp

Filesize
10.8MB

Download
memory/2396-187-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-30-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2396-234-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-24-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-96-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-25-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2396-232-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-23-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-250-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-219-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-238-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-26-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2396-27-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/2396-153-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-32-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2396-28-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/2396-174-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-172-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-55-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-29-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/2396-236-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-31-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2396-170-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-168-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2396-166-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/2804-51-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-52-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-186-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-169-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-131-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-171-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-167-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-173-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-154-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-235-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-237-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-210-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-249-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-231-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-251-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/2804-233-0x0000000000D70000-0x0000000001108000-memory.dmp

Filesize
3.6MB

Download
memory/3288-218-0x00007FFCFB590000-0x00007FFCFC052000-memory.dmp

Filesize
10.8MB

Download
memory/3288-209-0x00007FFCFB590000-0x00007FFCFC052000-memory.dmp

Filesize
10.8MB

Download
memory/3288-211-0x000001E39D190000-0x000001E39D1A0000-memory.dmp

Filesize
64KB

Download
memory/3288-212-0x000001E39D190000-0x000001E39D1A0000-memory.dmp

Filesize
64KB

Download
memory/3800-244-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3800-242-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3800-241-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/3800-240-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/3800-245-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3800-243-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3800-246-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3800-248-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/3800-247-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4188-99-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4188-101-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4188-108-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/4188-103-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4188-119-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/4188-98-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4188-106-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4188-105-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4188-88-0x0000000000C90000-0x0000000001138000-memory.dmp

Filesize
4.7MB

Download
memory/4588-9-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4588-5-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4588-7-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4588-6-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4588-0-0x0000000000860000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/4588-10-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4588-1-0x0000000077A16000-0x0000000077A18000-memory.dmp

Filesize
8KB

Download
memory/4588-3-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4588-22-0x0000000000860000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/4588-2-0x0000000000860000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/4588-4-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4588-8-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download