amadey | 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448

Analysis

max time kernel
150s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
Size

1.8MB
MD5

12ab9284b7bc5f1a10fdab18ec3387c6
SHA1

e3dcf2c85f3ab888fcc0e0555fc0438e85411d86
SHA256

8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448
SHA512

c997de1c1e4926fbef32a40d007696df714e56f987cb57a4fbf20b8f1a749bc83e37927174f778672c82b363980c5512a546990fb3c0172305c15a9c461272ac
SSDEEP

24576:6bR9HbDng67w6kUrAW3ShXteA9O6dAnbdMEobTVfy7RFgCmhN4nYdjzfFLCE8X/X:6bPHbDgUo1UyfA8BfogzxdjzUX/cbO

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16dd6bdcae.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec378305e1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16dd6bdcae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec378305e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16dd6bdcae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec378305e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe

Executes dropped EXE 5 IoCs

pid	Process
4044	explortu.exe
2368	16dd6bdcae.exe
3720	ec378305e1.exe
1744	explortu.exe
3716	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	16dd6bdcae.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	ec378305e1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
Key opened	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\16dd6bdcae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\16dd6bdcae.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3720-129-0x0000000000090000-0x00000000005F2000-memory.dmp	autoit_exe
behavioral2/memory/3720-161-0x0000000000090000-0x00000000005F2000-memory.dmp	autoit_exe
behavioral2/memory/3720-168-0x0000000000090000-0x00000000005F2000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
4044	explortu.exe
2368	16dd6bdcae.exe
3720	ec378305e1.exe
1744	explortu.exe
3716	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637380205814416"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
4044	explortu.exe
4044	explortu.exe
2368	16dd6bdcae.exe
2368	16dd6bdcae.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3164	chrome.exe
3164	chrome.exe
1744	explortu.exe
1744	explortu.exe
3164	chrome.exe
3164	chrome.exe
3716	explortu.exe
3716	explortu.exe
1996	chrome.exe
1996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3720	ec378305e1.exe
3720	ec378305e1.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3720	ec378305e1.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3720	ec378305e1.exe
3164	chrome.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3720	ec378305e1.exe
3720	ec378305e1.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3720	ec378305e1.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe
3720	ec378305e1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4044	2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe	77
PID 2396 wrote to memory of 4044	2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe	77
PID 2396 wrote to memory of 4044	2396	8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe	77
PID 4044 wrote to memory of 3032	4044	explortu.exe	78
PID 4044 wrote to memory of 3032	4044	explortu.exe	78
PID 4044 wrote to memory of 3032	4044	explortu.exe	78
PID 4044 wrote to memory of 2368	4044	explortu.exe	79
PID 4044 wrote to memory of 2368	4044	explortu.exe	79
PID 4044 wrote to memory of 2368	4044	explortu.exe	79
PID 4044 wrote to memory of 3720	4044	explortu.exe	80
PID 4044 wrote to memory of 3720	4044	explortu.exe	80
PID 4044 wrote to memory of 3720	4044	explortu.exe	80
PID 3720 wrote to memory of 3164	3720	ec378305e1.exe	81
PID 3720 wrote to memory of 3164	3720	ec378305e1.exe	81
PID 3164 wrote to memory of 3216	3164	chrome.exe	84
PID 3164 wrote to memory of 3216	3164	chrome.exe	84
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 2132	3164	chrome.exe	85
PID 3164 wrote to memory of 1392	3164	chrome.exe	86
PID 3164 wrote to memory of 1392	3164	chrome.exe	86
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87
PID 3164 wrote to memory of 2224	3164	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
"C:\Users\Admin\AppData\Local\Temp\8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\1000016001\16dd6bdcae.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\16dd6bdcae.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\1000017001\ec378305e1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\ec378305e1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb5e9aab58,0x7ffb5e9aab68,0x7ffb5e9aab78
        5⤵
        
        PID:3216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:2
        5⤵
        
        PID:2132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:1392
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:2224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:1
        5⤵
        
        PID:2552
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:1
        5⤵
        
        PID:756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:1
        5⤵
        
        PID:3480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:2160
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:4652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:400
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:2284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:8
        5⤵
        
        PID:3700
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
86a3b223c747e7ea9a66f241f6a2063d

SHA1
2d51888eee390acb31082f77a0eec575693f8939

SHA256
f938f7f71b1bead27c92c0dbb443c8b3eb96b2ed0727c0ded73c4ef648740ad2

SHA512
7431eda2df23787a3607929912049697198ff00b5d0c86388982572bad8db8e9ca31ba6f1e305b400633d0d134dbfb09a86b0f4034f16b40a657687dfff5ed17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
76847709428fd4a4c5e8f882c11a61fa

SHA1
11f1995878a77df5a91718002227517ae4544378

SHA256
679d40eb90f538ce62943f738d19f58805705a0ce9859aaa8b3d736663a4c2f5

SHA512
b83512fb590bc75e38292628c6b02f482d8de4d124078becbf9d9c7bbf7737333c19491620b0cb9f134e2820d4199d2f393fa282c91e56bbb9c22bc50b9484f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
05fe92cf658c06d227edb836e44dc161

SHA1
718d7e3541e9d512c648c692ab0938fa64ab5d24

SHA256
a3b9b2eb77f50de0fc8c1fee26fe5e673050cb1024d3957c547cb47efd6b3c63

SHA512
0d605d84b6008184eb792d13e7126c17398619c311a1fc3f5e8a42f0cdc5c8fd20f1640fb3379e08f9bfdd9fb7aa07fb7686671814810f43afc6f796b329f856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
eed15ff9c12341575ade95dedf3d717d

SHA1
7a61a3e1d4f920a2f5584f4979018e653e8ac102

SHA256
2d2ba6ee8629245631ee44f49b231f62689fdae5bc7034deb3188735eb7b6261

SHA512
4415309dfc3f78212242a43bd42f3694096373a9dbcf9b87a71f216b9258bb11e38505c7503932a6f162dc1d871b8a921bdb385da78c4d8754b837f1c60331cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fb8402fbe590b98baea60ea2b50a4bc9

SHA1
2c1b6d5b241ba3446bae6504428e266e1b189346

SHA256
9f3c233b0a335bb730bd91af3d3a2edcc04767beb8c15eb080714cc388dddf7b

SHA512
ec7b6b201daad34772a84219e8669d372268d1f9613de46526068f70a597228f85b24b496bd3e6a069b11a1c0c205a241af37643e2beee7dce2a7126dab64302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
c636f347633f37694dd08d137ca8a180

SHA1
bc74bc907770fceffef30f5ff016b7a8d029c55f

SHA256
12c66a1f9b352301cc3500b7b0946ada05dda5eeeef3ef82631629a3147f872a

SHA512
a80e9d7946741f060b19994022e158ea94a0d9e5b975243a52cc08a06671a7156735cff004aa9cf9f590f595c365a3055e59ed00838c3519b923bdd8cf020dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
301KB

MD5
77efb9892ea36ab7abfa8ddbf64f56cd

SHA1
b0cc1a99a2d02faa9de941b8b283845e9d6d9f51

SHA256
e1b3856068bb9caded672f1049cdd6fa38f50fbdc87218278c3fdabd2a55ad74

SHA512
5751b211ec90d11a129f00a20f9612060c60fae690b645be173c5ec537a99938166dc7759fd27d551baaed8ece2e2aa59958b8c335bc61d5c0e9a47f3caa4758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
f505917025dad232cd5e6b922f498706

SHA1
8d40a12be394ca4cafad3686fd5e56953e2e2c13

SHA256
f0316ad1bca03ba4dc6fd3cd0427d1a1db01d01975422f7dea933b0a99ab5b9e

SHA512
881b7d8c9a4fa4f1c9e1c7a2e0cf6b3863c3d5c7d7e8301c78e0143e6cabc20250d5a8518455dc732c93c08e9cab3427df8a3906f760c905d7a8730593bca338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
91de87b463436bc69ff2aa428e57a242

SHA1
495ace057b3da52b0f6b93896775e8726d2505a0

SHA256
5dabe5d883b2f345a212968062f4d505916b6c333d38032f693545f85c10b754

SHA512
68d92fa7f3c86bb8c34f3cb64c77f3a02d6959dc506a8069a17843d0fca4a0b39785d5160de70b087b91d2b90d33654001fbc344b4db236dfba7c095a97cb42e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
e0f3139df5e541874381cee3fb269924

SHA1
2a3d7c5d34c004d0357d062d58a8368a01e87bc5

SHA256
02c591198f9a672b844ccb57cc62b3243079a8df8f0113adffdef689b274e586

SHA512
4a2d8c555b1ed42d25fb88b3b421ca1130d30cd7ac684a7896f537cd9e1e1d222532eeed3257fa418b0ed2b95c069f6ee5a06bffcc52b3212be84f4fa148ea00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586d7a.TMP

Filesize
82KB

MD5
d3457687b0711d1ee73b36482287c210

SHA1
c745e200f078fc0efd832c4b980794b4399f8a46

SHA256
4a44b734ff24199d590aa9bf05b05bf6fbb91cc06e052e6fd9a320ae84d02b6b

SHA512
25a57ca35e42349d3e9f217b968071f045d0fe20d2392294d593c7a0c401759f262f24d77734f75a64bc2b642114205c5eb91ab86908a1e25e0b035c62166f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\16dd6bdcae.exe

Filesize
2.3MB

MD5
84f2db2acef926f4e8b5f4925f434401

SHA1
1dfedf5dd119a740b1970a75c398c11fb09a5707

SHA256
7b0383f36b4989b7580e6af8dcbc0e03d783f2c41d64805b16f807dea035d6f1

SHA512
99fa458eddcf4a095e9a3f10cb5521258cabd5b1e1d7b2bc6f466d49e8ad43da5ca781d831be3c2d9faba53f18eaac9a0deb949980ab4669edc3693419c141ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\ec378305e1.exe

Filesize
2.3MB

MD5
bf77967d6633d2aef3909980518bb059

SHA1
11d71c9676e172edd3404970cce53d89705de46d

SHA256
5f1f6ac282e4609e3e023839f2bab6c9f823c81235f7d57e0ef16b4c842f65dc

SHA512
4c295b1cde00f0d339613777714c3e8075e8aa5a3fc6e3b148ef9d459408e6924d9a02929ea825ced336ad796e1cf5ab3792ce91f4f1e63174c6abab5a79b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
12ab9284b7bc5f1a10fdab18ec3387c6

SHA1
e3dcf2c85f3ab888fcc0e0555fc0438e85411d86

SHA256
8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448

SHA512
c997de1c1e4926fbef32a40d007696df714e56f987cb57a4fbf20b8f1a749bc83e37927174f778672c82b363980c5512a546990fb3c0172305c15a9c461272ac

Download Submit
memory/1744-127-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/1744-121-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/2368-252-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-160-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-47-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-239-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-42-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-250-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-177-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-173-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-128-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-130-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-199-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-254-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-256-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-214-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2368-197-0x0000000000AC0000-0x0000000001097000-memory.dmp

Filesize
5.8MB

Download
memory/2396-5-0x00000000004C0000-0x0000000000960000-memory.dmp

Filesize
4.6MB

Download
memory/2396-17-0x00000000004C0000-0x0000000000960000-memory.dmp

Filesize
4.6MB

Download
memory/2396-3-0x00000000004C0000-0x0000000000960000-memory.dmp

Filesize
4.6MB

Download
memory/2396-2-0x00000000004C1000-0x00000000004EF000-memory.dmp

Filesize
184KB

Download
memory/2396-1-0x0000000077AB6000-0x0000000077AB8000-memory.dmp

Filesize
8KB

Download
memory/2396-0-0x00000000004C0000-0x0000000000960000-memory.dmp

Filesize
4.6MB

Download
memory/3716-212-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/3716-213-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/3720-129-0x0000000000090000-0x00000000005F2000-memory.dmp

Filesize
5.4MB

Download
memory/3720-168-0x0000000000090000-0x00000000005F2000-memory.dmp

Filesize
5.4MB

Download
memory/3720-65-0x0000000000090000-0x00000000005F2000-memory.dmp

Filesize
5.4MB

Download
memory/3720-161-0x0000000000090000-0x00000000005F2000-memory.dmp

Filesize
5.4MB

Download
memory/4044-46-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-238-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-157-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-210-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-120-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-196-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-167-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-174-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-45-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-198-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-44-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-43-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-249-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-23-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-251-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-20-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-253-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-19-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-255-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download
memory/4044-18-0x0000000000120000-0x00000000005C0000-memory.dmp

Filesize
4.6MB

Download