amadey | 4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
18-04-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
Size

2.8MB
MD5

df17f306876977161526bb1f067b61c3
SHA1

53409fdd1591092f8a135b9a77e8f6b732939cef
SHA256

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb
SHA512

283dc89e62505602e4ddb332c5b8ade9f221e0e84072ecfea06db4c98e8b2b34d6ce24bd514eb5d9b940a622d8284d70ad9db4a9e756885ba5b81924e2b35136
SSDEEP

49152:hx2uHUsHgOw9UWqJuh6sSSHgIHiquH8xLr+SphjABTQ:hx2uHUsHgOwOWqJuh6sSS9HiqucxnPX/

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.93:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chrosha.exeexplorha.exeexplorha.exe4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exeamert.exe763e1f01af.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	763e1f01af.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

27 2584 rundll32.exe
33 2740 rundll32.exe
35 1540 rundll32.exe
38 3564 rundll32.exe
Downloads MZ/PE file

flow	pid	process
27	2584	rundll32.exe
33	2740	rundll32.exe
35	1540	rundll32.exe
38	3564	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amert.exe763e1f01af.exeexplorha.exechrosha.exeexplorha.exe4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	763e1f01af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	763e1f01af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 8 IoCs

Processes:

explorha.exeamert.exe7854b6ff53.exe763e1f01af.exeexplorha.exechrosha.exeexplorha.exeexplorha.exe

pid process

2932 explorha.exe
3048 amert.exe
2416 7854b6ff53.exe
5048 763e1f01af.exe
1124 explorha.exe
3712 chrosha.exe
2180 explorha.exe
2596 explorha.exe

pid	process
2932	explorha.exe
3048	amert.exe
2416	7854b6ff53.exe
5048	763e1f01af.exe
1124	explorha.exe
3712	chrosha.exe
2180	explorha.exe
2596	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exeamert.exe763e1f01af.exeexplorha.exechrosha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	763e1f01af.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

716 rundll32.exe
2584 rundll32.exe
2740 rundll32.exe
2412 rundll32.exe
1540 rundll32.exe
3564 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
716	rundll32.exe
2584	rundll32.exe
2740	rundll32.exe
2412	rundll32.exe
1540	rundll32.exe
3564	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\7854b6ff53.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\7854b6ff53.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\763e1f01af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\763e1f01af.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\7854b6ff53.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exeamert.exe763e1f01af.exeexplorha.exechrosha.exeexplorha.exeexplorha.exe

pid	process
1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
2932	explorha.exe
3048	amert.exe
5048	763e1f01af.exe
1124	explorha.exe
3712	chrosha.exe
2180	explorha.exe
2596	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579412894543915"	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exeamert.exechrome.exerundll32.exepowershell.exe763e1f01af.exeexplorha.exechrosha.exerundll32.exepowershell.exeexplorha.exechrome.exeexplorha.exe

pid	process
1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
2932	explorha.exe
2932	explorha.exe
3048	amert.exe
3048	amert.exe
2504	chrome.exe
2504	chrome.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
5048	763e1f01af.exe
5048	763e1f01af.exe
1124	explorha.exe
1124	explorha.exe
3712	chrosha.exe
3712	chrosha.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
1540	rundll32.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
2180	explorha.exe
2180	explorha.exe
4248	chrome.exe
4248	chrome.exe
2596	explorha.exe
2596	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2504 chrome.exe
2504 chrome.exe
2504 chrome.exe
2504 chrome.exe

pid	process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

7854b6ff53.exechrome.exe

pid	process
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2416	7854b6ff53.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2416	7854b6ff53.exe
2504	chrome.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

7854b6ff53.exechrome.exe

pid	process
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2416	7854b6ff53.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe
2416	7854b6ff53.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exeexplorha.exe7854b6ff53.exechrome.exe

description	pid	process	target process
PID 1160 wrote to memory of 2932	1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe	explorha.exe
PID 1160 wrote to memory of 2932	1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe	explorha.exe
PID 1160 wrote to memory of 2932	1160	4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe	explorha.exe
PID 2932 wrote to memory of 3048	2932	explorha.exe	amert.exe
PID 2932 wrote to memory of 3048	2932	explorha.exe	amert.exe
PID 2932 wrote to memory of 3048	2932	explorha.exe	amert.exe
PID 2932 wrote to memory of 2416	2932	explorha.exe	7854b6ff53.exe
PID 2932 wrote to memory of 2416	2932	explorha.exe	7854b6ff53.exe
PID 2932 wrote to memory of 2416	2932	explorha.exe	7854b6ff53.exe
PID 2416 wrote to memory of 2504	2416	7854b6ff53.exe	chrome.exe
PID 2416 wrote to memory of 2504	2416	7854b6ff53.exe	chrome.exe
PID 2504 wrote to memory of 2576	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 2576	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 3480	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4600	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4600	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 1692	2504	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe
"C:\Users\Admin\AppData\Local\Temp\4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\1000055001\7854b6ff53.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\7854b6ff53.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9ec8ab58,0x7ffc9ec8ab68,0x7ffc9ec8ab78
        5⤵
        
        PID:2576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:2
        5⤵
        
        PID:3480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:4600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1652 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:1692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:1
        5⤵
        
        PID:3520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:1
        5⤵
        
        PID:4808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:1
        5⤵
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:4768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:4412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:4808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3248 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:2404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:1164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:1356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4356 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:8
        5⤵
        
        PID:4008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4296 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:1
        5⤵
        
        PID:4980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1852,i,7904218092704970629,10209694151800384805,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:716
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2584
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
- - C:\Users\Admin\AppData\Local\Temp\1000056001\763e1f01af.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\763e1f01af.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3712
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:2412
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3564

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
47db703229f697c899bcc47bf3449e41

SHA1
58f1d2806714eeb6d2bdd5ba246f9c1b4c98ff2b

SHA256
3adeac76317aa3827a60b412e716a7370c2fec37cb796ac3a6ab4a092dfd3f28

SHA512
175547c760f3f38459236febec459ed890172acfe7aed99ee68078a22ca759ed5bcd2990ba35b1769a6ed22ae768354b35f7000e775cbbe3ddf08c3d0e8af228

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
26bae08855c83038939df5031d718193

SHA1
5e0321f55e875fb645baa021a1b5e9a03a8d2edb

SHA256
1231cc60bd75a365c9ee3b3212790ede7690480d541e2cfd7a5fd894526a3054

SHA512
af7ec6ace8d89c4b5e7eeac09749d9b54db23b9a076ca099063d874be39d46fb7ce681c7bc8dcd26d15d99c3e7b92a815e604728eb630767f1220a040495433d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d1c373598fb69b30417dccd71f44bae6

SHA1
6c58f724afc1550556e6b07f728a4af1d33531c7

SHA256
3226f130fc385debe7b3337084e035f6dbc39d0b445a8081b8add75b11b383a3

SHA512
1e7719a5fb1f0917dbded2820529d94d70de75101ed95e8627315e6fed5b51ba7c263636f9a8c0e8af28fec7c2bb09598a8a087682be3a44ca8fee61d6a1c014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
831cd9ab5f8517b711bb62a5238a0841

SHA1
02a6130ba2dc2a5d757125b1394d928be22c311c

SHA256
45417fbf33063e237564daf56695f1c9c9fafa175089a693ab5f37b033b61fbc

SHA512
749c957d325dd45b52d2a70963e7edaf6ec2fe817123f55549e597db3a4f0370cda54b6ac44c4661bb60082b1ee46228b956ffda24fbbb0cf5a3bd741e887d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
05d65e2c30c15e8bdcd9868c008c089d

SHA1
b860381a641b54ebd009655496329f5e9ed7edf8

SHA256
b34890475e567fdbf6ec27b11bf8cea9c99b0948f3ed98becdb9f2a697784c6b

SHA512
eb88092367e2668a7c164f7af22498b6c6d5e6bae3d73751f61259dabb2edfe2d9794d6a069ca0fb37e716f5fbf1011672fc5b1772e79a6dd716b4278e47f327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
33ec4ee4ac34ce5bb8cb5f230b1f341f

SHA1
2c80bec3d05dfc2924917a95ee02d631c6dfc7c9

SHA256
f63e55dda35bcc5e90e72cc4c21164c1195069e1e88aad7f0546b966a00f4c39

SHA512
9a1c80e9c3ccfe312f08f29c05f72ca46986e36d835644fbfb195a2afe6ccb7a5dfd8167fbed090fff45137daa442075dbbf723903480fec7878f68021557304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5652b03f07e31d7e79993736c3aa42fb

SHA1
acab49c8b26882e8a188ea99765c8a7eed28d62f

SHA256
eee5bd0dc8c2e84e49509b19bd6aba834972b0c795d45b32db437a9bb2379fc7

SHA512
15a9868f2b49bae8b6c03998ddcf2fdbd2ca94808e9bc23f2598b91457db2b97c0a7039859d7d6028f60e4798e7cf68b1b3f8592b5766b9bed1fe0037b4ba59d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d2c1.TMP

Filesize
48B

MD5
19f6561757074740f54f12699dec3514

SHA1
e5a76bd3a25ac9b064a207f515a7f53bc50a3b78

SHA256
5363058c2149ffb7b7e407d5387ce62c5fc6de02dafb6c72b7c76850950e0cce

SHA512
83ac84e4b41bbbfa36d78968729db9adcb363221ebe86304845db20660cabf30db7d0cd5495b9549e532393e2f4b28cefd9f5cfde4c11e8191d48972ebabba60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
ad6c3d7b9a675a23b61cebc70c12a8af

SHA1
a494793218d1b4d46ef4df13aeba9f480ea7615c

SHA256
5574fc152f000159144b429b102089ea837cda38a280deb73dff289228799f3e

SHA512
e146c8e63fafc3fed54722c1b26bdb88fc3200aadde18ae86ca46154ba0c08f1e07f7c063c9da7b8661612efd0e397718987e926f34053846dca6bd1e10349ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd00e221c7412a41b29060dfc1dcd6c8

SHA1
76b297738f2cddd26f737ab38829ad02ed1b51ec

SHA256
98f4f38301fc856eaa213d998e3e07c3cb7e544c3662d452e3342c2268a680b7

SHA512
abcd164974234cd9d06d9e0127909148af2cbca135b22a73f48338e23f2fbb44088897bf8229591038a09959a86cd35b642c49c5033f091b5266c35a2a78b9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
2.8MB

MD5
df17f306876977161526bb1f067b61c3

SHA1
53409fdd1591092f8a135b9a77e8f6b732939cef

SHA256
4b158cf580f4be8dd4aaf68adefcd86bdf945414af4458fc590a16d4a4ee02cb

SHA512
283dc89e62505602e4ddb332c5b8ade9f221e0e84072ecfea06db4c98e8b2b34d6ce24bd514eb5d9b940a622d8284d70ad9db4a9e756885ba5b81924e2b35136

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe

Filesize
1.8MB

MD5
86a321a84df8f5da70c9a1cf9a1cde9a

SHA1
942813349857f83613bf8b10c92e028d9e59cfe0

SHA256
6379a08616253ed59ac64c592fb8d4b350d27f51da903472136753552f53a023

SHA512
c7c516c5ec7ed588123cec84f5e7e58b7ee97e1314dbbbe75bd14f86093b205a41847c0c970b15aca0e9b23d2d1d1909fe7d6686538b328d5c315a6a24d02735

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\7854b6ff53.exe

Filesize
1.1MB

MD5
fdd4992ea505fa7e0e1d29b9c5b4e284

SHA1
81b32eb350fbff40cb8c43a4b7396223b3a988db

SHA256
b26be9faa546b75bc5360a22eac133de8907745dedaddb8336648f1066ef1f83

SHA512
563d30c4b821c513a1290ddc5ebc9bb2ca8d28ea953629d8252327fad845bef4df67dc3f591b37746c75314eb7b9f74c4dbb2022f64b58623fb4256cb29ade50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\763e1f01af.exe

Filesize
2.2MB

MD5
813526bb03c7f7f0625e63de95afa3e1

SHA1
94f5ad0603785c476d77bc1a9f4d74ab0df131ec

SHA256
82fa61e2ed738241ce2d72df642b0235ebdb94971e19cca3a4c593ae2d2a30db

SHA512
2c41b583e668fa121d05377db64555c1badf3bb0919fba99f12afd8f331b19fcbd40d4b4a81f0bae34a9030c2849134a02da7e08390435023c1d0a0c164118ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyjzwlql.pbx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2504_578090576\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2504_578090576\d2cfa0be-7ed0-44f0-8dd5-b0c9de0b591a.tmp

Filesize
135KB

MD5
87996ba4dd83a8988d96e918dcb2bc62

SHA1
23910f09ea806d13d9a337a1e23d5fa49b383269

SHA256
6409d21a03faff1503aa83a19be0b7dcb701f5e4501c4fefb81877147e869d57

SHA512
a9a1b4bb6ed0410232db0414ab238baa594f6c936a801213e0e6fd7ff96f34ab57036cd0070c68d75a8cfda89b7240b6fb8f661bc9c4d9a45666a798d7d12999

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
\??\pipe\crashpad_2504_FMTPZEOKGVFWXXEP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1124-651-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/1124-637-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1124-638-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1124-639-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1124-640-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/1124-641-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1124-636-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/1124-631-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/1160-2-0x0000000000DE0000-0x00000000010EE000-memory.dmp

Filesize
3.1MB

Download
memory/1160-4-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1160-3-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1160-0-0x0000000000DE0000-0x00000000010EE000-memory.dmp

Filesize
3.1MB

Download
memory/1160-5-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1160-6-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1160-7-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1160-11-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1160-9-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1160-10-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1160-8-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1160-1-0x0000000077916000-0x0000000077918000-memory.dmp

Filesize
8KB

Download
memory/1160-23-0x0000000000DE0000-0x00000000010EE000-memory.dmp

Filesize
3.1MB

Download
memory/2180-766-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-730-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-25-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-796-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-24-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-784-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-776-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-773-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-770-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-767-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-27-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2932-32-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2932-749-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-737-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-733-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-31-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2932-30-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2932-29-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2932-685-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-28-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2932-26-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2932-34-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2932-659-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-140-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-91-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-90-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-609-0x0000000000880000-0x0000000000B8E000-memory.dmp

Filesize
3.1MB

Download
memory/2932-33-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3048-57-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3048-59-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3048-51-0x00000000001A0000-0x000000000065A000-memory.dmp

Filesize
4.7MB

Download
memory/3048-63-0x00000000001A0000-0x000000000065A000-memory.dmp

Filesize
4.7MB

Download
memory/3048-50-0x00000000001A0000-0x000000000065A000-memory.dmp

Filesize
4.7MB

Download
memory/3048-52-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3048-53-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3048-54-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3048-55-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3048-56-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3712-786-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-709-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-634-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-735-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-739-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-757-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-798-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-670-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-732-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-769-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-772-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-775-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/3712-778-0x0000000000A30000-0x0000000000EEA000-memory.dmp

Filesize
4.7MB

Download
memory/4628-151-0x000001F1ED200000-0x000001F1ED210000-memory.dmp

Filesize
64KB

Download
memory/4628-174-0x000001F1ED450000-0x000001F1ED462000-memory.dmp

Filesize
72KB

Download
memory/4628-195-0x00007FFC8AA30000-0x00007FFC8B4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4628-161-0x000001F1ED200000-0x000001F1ED210000-memory.dmp

Filesize
64KB

Download
memory/4628-160-0x000001F1ED200000-0x000001F1ED210000-memory.dmp

Filesize
64KB

Download
memory/4628-176-0x000001F1ED3B0000-0x000001F1ED3BA000-memory.dmp

Filesize
40KB

Download
memory/4628-150-0x00007FFC8AA30000-0x00007FFC8B4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4628-149-0x000001F1ED3C0000-0x000001F1ED3E2000-memory.dmp

Filesize
136KB

Download
memory/5048-182-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/5048-738-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-183-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/5048-184-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/5048-192-0x00000000054C0000-0x00000000054C2000-memory.dmp

Filesize
8KB

Download
memory/5048-755-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-734-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-189-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/5048-186-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/5048-768-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-731-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-178-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/5048-771-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-181-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/5048-179-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/5048-774-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-180-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/5048-175-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/5048-777-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-706-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-177-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/5048-785-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-660-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-635-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-172-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-797-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download
memory/5048-627-0x0000000000440000-0x00000000009E0000-memory.dmp

Filesize
5.6MB

Download