amadey | b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d

Analysis

max time kernel
299s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2024, 05:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
Size

3.1MB
MD5

60a2f2eb1e71f72fb1c81a651ec2cc8b
SHA1

ca2e3549c58b756d67a1841c3a5d5f037294d4e7
SHA256

b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d
SHA512

f033053b083f1bc8c158f10251886b334a6332d68d0cb8fbf6fe740b960fa7907b986c899ebf2fbc26df1ab807f77cba45f7b20bf7e60cc8bdd98c18494c7515
SSDEEP

49152:Gbdgrtjj6x0m9uXO2KbOmoskI79mji9tZ62RK5:GWtj6x0m9uXliOmhkI79mji99

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fd7979556a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
39	5592	rundll32.exe
40	5160	rundll32.exe
42	5640	rundll32.exe
43	4732	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fd7979556a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fd7979556a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 11 IoCs

pid	Process
3344	explorha.exe
3452	ae4d292642.exe
2004	fd7979556a.exe
2200	explorha.exe
2480	amert.exe
5412	explorha.exe
2732	chrosha.exe
5456	explorha.exe
6064	explorha.exe
2736	explorha.exe
1196	explorha.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	fd7979556a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine	amert.exe

Loads dropped DLL 6 IoCs

pid	Process
5568	rundll32.exe
5592	rundll32.exe
5160	rundll32.exe
5676	rundll32.exe
5640	rundll32.exe
4732	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\ae4d292642.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\ae4d292642.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\fd7979556a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\fd7979556a.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000001ac28-35.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
3344	explorha.exe
2004	fd7979556a.exe
2480	amert.exe
2200	explorha.exe
5412	explorha.exe
2732	chrosha.exe
5456	explorha.exe
6064	explorha.exe
2736	explorha.exe
1196	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3344 set thread context of 2200	3344	explorha.exe	91

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582386893291825"	chrome.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
3344	explorha.exe
3344	explorha.exe
1612	chrome.exe
1612	chrome.exe
2004	fd7979556a.exe
2004	fd7979556a.exe
2480	amert.exe
2480	amert.exe
2200	explorha.exe
2200	explorha.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5592	rundll32.exe
5704	powershell.exe
5704	powershell.exe
5704	powershell.exe
5704	powershell.exe
5412	explorha.exe
5412	explorha.exe
2732	chrosha.exe
2732	chrosha.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5640	rundll32.exe
5892	powershell.exe
5892	powershell.exe
5892	powershell.exe
5892	powershell.exe
5456	explorha.exe
5456	explorha.exe
5020	chrome.exe
5020	chrome.exe
6064	explorha.exe
6064	explorha.exe
2736	explorha.exe
2736	explorha.exe
1196	explorha.exe
1196	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3452	ae4d292642.exe
3452	ae4d292642.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
1612	chrome.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3452	ae4d292642.exe
3452	ae4d292642.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe
3452	ae4d292642.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3344	1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe	74
PID 1640 wrote to memory of 3344	1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe	74
PID 1640 wrote to memory of 3344	1640	b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe	74
PID 3344 wrote to memory of 3452	3344	explorha.exe	75
PID 3344 wrote to memory of 3452	3344	explorha.exe	75
PID 3344 wrote to memory of 3452	3344	explorha.exe	75
PID 3452 wrote to memory of 1612	3452	ae4d292642.exe	76
PID 3452 wrote to memory of 1612	3452	ae4d292642.exe	76
PID 1612 wrote to memory of 512	1612	chrome.exe	78
PID 1612 wrote to memory of 512	1612	chrome.exe	78
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 524	1612	chrome.exe	80
PID 1612 wrote to memory of 4296	1612	chrome.exe	81
PID 1612 wrote to memory of 4296	1612	chrome.exe	81
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82
PID 1612 wrote to memory of 3596	1612	chrome.exe	82

C:\Users\Admin\AppData\Local\Temp\b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe
"C:\Users\Admin\AppData\Local\Temp\b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\1000055001\ae4d292642.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\ae4d292642.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffde1649758,0x7ffde1649768,0x7ffde1649778
        5⤵
        
        PID:512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:2
        5⤵
        
        PID:524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:4296
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:3596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:1
        5⤵
        
        PID:2824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:1
        5⤵
        
        PID:1444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:1
        5⤵
        
        PID:4828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3168 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:1
        5⤵
        
        PID:96
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3876 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:1892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:2948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:2804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:2760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:8
        5⤵
        
        PID:5208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 --field-trial-handle=1816,i,18077900548477868379,3493734610501645026,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
- - C:\Users\Admin\AppData\Local\Temp\1000056001\fd7979556a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\fd7979556a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5568
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5592
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\699363923187_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5412

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2732
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5676
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5640
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\699363923187_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5892
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4732

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5456

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6064

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
98d5708d84ac399147013c1c5ff0e3d4

SHA1
c4fad86e35f7f9ca2cb917b438e824e812dfc87a

SHA256
5056f5e4e8f7b496b5b4a880dd9c667debd537cd3ca5492cf2122c831246b761

SHA512
71ace2c9405618533bb6a8ddc878dcaff1d641560e821d30570284675d9e94400c6076108e57be45688fc34f62effb724434e58a2043c3b72e2df639603e5ea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0867cf7537f465d3a18284a4e00785a7

SHA1
77579b037ed65771a382b93a3418f96e9e21a0a5

SHA256
04b7509e3d9a73ad361cdc43151a671d4fde57a78756fdf449092e4a537afc62

SHA512
33bb994ce4274473907d09b1ee449fd0038f0a2316269f9cb5acbef36c26ffefbc5d9a1347b80f76254b51e1c3a2219c9190ad946d21ebabeff4664f6bd1e9b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6f98aa81ffc41ced87a24f9a31a5ac78

SHA1
e7a06e7f4184ac50f121a1530a01047f853e390a

SHA256
831ef1afe6f437caf8ac37bfbf458e8bac029a120293f7fdbd5f06b2a8785892

SHA512
e3f9c94ad2f264204ef7184e7a8a2d69f789e9f1802bff14f33882bfcddc253e96ec1f31ce32d8032d8f8e5a203957deccf782d9f778729782bcbd1be6b44a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
ab3244b1cbd66bef5fb7e4e4db43e5d1

SHA1
f9efd90df1c91e8482c66f6c6c41ada95a761464

SHA256
0708509ffcbf28e7d2174646675bdb434a717e8cc9eaef78f663e93c4d026443

SHA512
01496a8a93349a7bf1d0a043a97510025a592b13773e3a6bae243ea875a3082fd6bcd1da0c7881b11f8bfc4df758258d084bf2cd6029769bf0aae5dbd02d8318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
0517aee9d07c6564f810181ef7a3e7e3

SHA1
5ca8cb0ac53a3c0c041065362510284b07fc7f28

SHA256
ce4b12b814fab2464302355a17c81b112bea9ed04d2af094191af67bcfcd98a4

SHA512
56b2674bd23f049f8717035bc59aea86402835d420b6df15ad8d784649656aa43a6a3bff4a5d8cd3c9505e7bb104d9b426701b727a8727b2d4630255feaa9940

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
97b84c75c5be0445c685359fc32ac28c

SHA1
8dc66c06dca1bb862de227df755836c389052a01

SHA256
5cc460181bd57c81bee2d8fd9fbb944143ab4a87f93c2f0f19432b756d291812

SHA512
710744e4293794d3808900a81f9a54167e3725d70faa0552ee7ae8047141db6b60395604189e034381a7f7075d1902905c0e3b5fa35394a595e02789d6cc1d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f546ebfda36a8ff4caff945dedddee84

SHA1
1f4ce21020ceb2677eb5a8e52ee8d42a306bb015

SHA256
302d39dec8801f1ee0a6695241ed915147b8cf48abb8db0ad32d12990dfc30fd

SHA512
6719890ce697839fac26822701fdb3c4ccbee47109ccd613050b48abe9b1e0a9491bef1c9d24e21b2f167d16e44bf165a541cae55ef5d13cef58776af5e24b9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a97c5d888ebf09384321ea5d1632389f

SHA1
662b9c2eb73304809f9dfb67690319ad2c8c1a3a

SHA256
557ca81ea0b32e61675865180854166d285d9ae0897c4b01d64f2bb444453c32

SHA512
54ba6594f079fe389fe7e3a70275c0991d4a3ac2d177012db3d2b72e7e06da8eb192b2980716b52c729ac3ffbb11041bc2eaa1b3f1e202489ad3283571d88283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f22d881fec09100bbd0904a049cc0213

SHA1
af88b3e3601e6bac3fd829e8f8bf25aeca668229

SHA256
bdea065f94a8d9d7ad7b67ff802d09426829033c9a7bd5b5793d7e0f94d5788c

SHA512
5b608c58f0cd81a273aee989d71bd27139e8e0687859f244a1a2f1a76391fa1da1e0dd8433693006df966fce021eed85429456c9b6ecb3e17a29cba2facfd136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
d0a8114208c5b6f8d94d8808e04f5cb4

SHA1
8230696b11ef8c00003adeac73471a659f0b7658

SHA256
50011548f361ada293abc8d67ceebc45686f1f4d9d3e4d0ff4fe9da23b804797

SHA512
e4d1d39a85af713c01a2279c873832247de19cc21f7e133e1075239c5036e797a6dfe40b3a3ffcc55afe1f0b1a0908847516b4b65438cfcfd29903c59d84b53b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
890d377e311cc29c56e5daf3470f6355

SHA1
984805331d295b5364a904ebe08007cee0904da0

SHA256
8bc4b50953de49f3d27ea53b5368f3224686ad77dea4efd6a81c26066699ffb5

SHA512
a0b5f666abb13dfa3bc191957419e735b7079bafc853ef04fea62cc007b0fd5fec8da6cf103691d1d7bb71d61af7adbae3e11ef21aa7435e3911238f8426e446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7ce47df53c8f0ba7ccf885c309afc484

SHA1
b25ad9723b06d3861498caa32ffb1b7b38701a95

SHA256
7031b6b7bc43cf4ee90d4ec4860b78a442352243ea28f5d959b56222b13de2e4

SHA512
78585fbfcfe2e7a27f0ee168075958923184e67da1668850d0e66e31f0fd0a5516c04a17693ad197da7ffffb179265cd54fe0629fa30e00a6f269c6d68277efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce87fcf699cde47d148963016faf33da

SHA1
d50a9c1023689b87c8776ac6944e48f4f6ef4079

SHA256
237c36227869b3925a7040b619e9843c045a9cd3e60db4db457bea54ca872fdb

SHA512
e3a5bfb6e0110d29891e2126a08a13c62f96c20f9cac307341f59c7fd01adb4f0259a002dbc3e043e0ee1645fffdc3c7e4fc17b1ba8bdbbc0726dbc883e821d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
3.1MB

MD5
60a2f2eb1e71f72fb1c81a651ec2cc8b

SHA1
ca2e3549c58b756d67a1841c3a5d5f037294d4e7

SHA256
b946dd7deef27b77d3567c97fff2400b3a4d4ded8177bd2cbcb4eac69962147d

SHA512
f033053b083f1bc8c158f10251886b334a6332d68d0cb8fbf6fe740b960fa7907b986c899ebf2fbc26df1ab807f77cba45f7b20bf7e60cc8bdd98c18494c7515

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\ae4d292642.exe

Filesize
1.1MB

MD5
c0058dc5f423001d42df5a6f2d968a55

SHA1
65a4f05611c77e4a49fb3a9cf9ed051cb6871883

SHA256
68a0c266d1cf63d9f71994489165d1335f0a874fc0203935c884662d89fb7988

SHA512
a3d8d4ca5d06444aeaabf4f2dde3fd4925fe9d99254e7b4c5554f284b975e54194b71bf23b994034e50d5694fe45187617936e5047d25527cbf5e08c3ab65a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\fd7979556a.exe

Filesize
2.3MB

MD5
69eea6da5a972f99322787e2e1ddcee6

SHA1
8e8e9a999e06b2def82dae7437bc05a23db8fe94

SHA256
7cac339733c031b7c81290794a2e56f1894ff81d7db3f920d43e9da76ffb042b

SHA512
f41e06a426bff8f0756916546533f80af5b439fc13bd711411ed21715fd7d0cdaf2708c1bc55f20c962cd8919bd829588c672cb955b3191b7aef2a2c2d7c3123

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe

Filesize
1.9MB

MD5
42ad64483405b6ce53c4966870c902ec

SHA1
c21642320252e799c8fdb2b88acf177254dccacf

SHA256
e5fb190cb34afa45533f59258b8415cd2788042a5e7b83b2c1560c0189b3a521

SHA512
62624070f30d2095ff53c0dee499c77f00e45c1c251a64cf18f7b885742ea0c5a0f4b931a01ecdbb10303be4763f6e7eb7d315ce13e2b8947df2d7ccbc0c2db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15jadtp2.ho2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/1640-9-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1640-19-0x0000000000210000-0x0000000000527000-memory.dmp

Filesize
3.1MB

Download
memory/1640-12-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1640-11-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1640-0-0x0000000000210000-0x0000000000527000-memory.dmp

Filesize
3.1MB

Download
memory/1640-8-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1640-7-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1640-6-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1640-5-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1640-4-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1640-3-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1640-2-0x0000000000210000-0x0000000000527000-memory.dmp

Filesize
3.1MB

Download
memory/1640-1-0x00000000778B4000-0x00000000778B5000-memory.dmp

Filesize
4KB

Download
memory/2004-98-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2004-496-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-97-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2004-101-0x0000000004F50000-0x0000000004F52000-memory.dmp

Filesize
8KB

Download
memory/2004-224-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-512-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-89-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2004-91-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2004-83-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2004-93-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2004-94-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2004-168-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-80-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2004-73-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-96-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2004-320-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-95-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2004-331-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-90-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2004-365-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-449-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-464-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-481-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-509-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2004-99-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2004-493-0x0000000000B70000-0x0000000001135000-memory.dmp

Filesize
5.8MB

Download
memory/2200-130-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-170-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-150-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-142-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-140-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-152-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-134-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-156-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-131-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-132-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-147-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-128-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-143-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-129-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-119-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-138-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-118-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-117-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-166-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-164-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-162-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-116-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-169-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-145-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-171-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-172-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-173-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2200-174-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2200-176-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2200-175-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2200-177-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2200-178-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2200-179-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/2200-180-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2200-181-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2200-183-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2200-182-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/2200-184-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2200-185-0x00000000053B0000-0x00000000053B2000-memory.dmp

Filesize
8KB

Download
memory/2200-115-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-114-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-112-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-111-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2200-110-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/2200-106-0x0000000000400000-0x00000000009D7000-memory.dmp

Filesize
5.8MB

Download
memory/2480-149-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2480-204-0x0000000000970000-0x0000000000E4A000-memory.dmp

Filesize
4.9MB

Download
memory/2480-154-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2480-163-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2480-165-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2480-155-0x0000000000970000-0x0000000000E4A000-memory.dmp

Filesize
4.9MB

Download
memory/2480-144-0x0000000000970000-0x0000000000E4A000-memory.dmp

Filesize
4.9MB

Download
memory/2480-151-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2480-148-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2480-146-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2480-153-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2732-498-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-492-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-366-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-495-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-466-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-511-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/2732-450-0x00000000001E0000-0x00000000006BA000-memory.dmp

Filesize
4.9MB

Download
memory/3344-29-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3344-508-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-451-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-24-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/3344-27-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3344-465-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-28-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3344-25-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/3344-23-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/3344-367-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-22-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-491-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-353-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-21-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-494-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-330-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-30-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3344-139-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-109-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-26-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3344-141-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-510-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/3344-299-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/5412-352-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download
memory/5456-507-0x0000000000C80000-0x0000000000F97000-memory.dmp

Filesize
3.1MB

Download