86f783a90ebc8f381e8c6484d412cce8e587d003856b522b271ca15691e9dd8b

Analysis

max time kernel
244s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiBit.exe
Size

324KB
MD5

0f39821d5744907e68885862080c6234
SHA1

71e263f94a80d6cd1df1349c4a2202ef5f2518c3
SHA256

86f783a90ebc8f381e8c6484d412cce8e587d003856b522b271ca15691e9dd8b
SHA512

38299692594b995607987e1369d7c2c8913e8daec076b3779a61033093290e69fab1fb8cae0a83a80643a825f67b41a81eb17d21736054a656067ae8bcf93cbc
SSDEEP

3072:Ex+JMeg3Z0EeYesNKnXORQtmGWA68rdCbyzziT6hTnNPmxZjmsNKnXOZu:Ov4XORAmGc8rdCbkziksZ4XOZ

Score

8^/10

agilenet pyinstaller

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

wServ64.exewServ64.exe

pid process

1864 wServ64.exe
1536 wServ64.exe
Loads dropped DLL 4 IoCs

Processes:

wServ64.exe

pid process

1536 wServ64.exe
1536 wServ64.exe
1536 wServ64.exe
1536 wServ64.exe

pid	process
1864	wServ64.exe
1536	wServ64.exe

pid	process
1536	wServ64.exe
1536	wServ64.exe
1536	wServ64.exe
1536	wServ64.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3384-2410-0x00000000058F0000-0x0000000005900000-memory.dmp	agile_net
behavioral1/memory/3384-2411-0x00000000059E0000-0x00000000059EE000-memory.dmp	agile_net
behavioral1/memory/3384-2417-0x0000000007610000-0x000000000775A000-memory.dmp	agile_net
behavioral1/memory/3384-2557-0x00000000058D0000-0x00000000058E0000-memory.dmp	agile_net

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

193 ipapi.co
196 ipapi.co
198 ipapi.co

flow	ioc
193	ipapi.co
196	ipapi.co
198	ipapi.co

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\wServ64.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\wServ64.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\wServ64.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\wServ64.exe	pyinstaller

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4104 4936 WerFault.exe MultiBit.exe

pid	pid_target	process	target process
4104	4936	WerFault.exe	MultiBit.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\MultiBit.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\MultiBit.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

taskmgr.exe

pid	process
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

firefox.exetaskmgr.exeMultiBit.exe

description	pid	process
Token: SeDebugPrivilege	3824	firefox.exe
Token: SeDebugPrivilege	3824	firefox.exe
Token: SeDebugPrivilege	4304	taskmgr.exe
Token: SeSystemProfilePrivilege	4304	taskmgr.exe
Token: SeCreateGlobalPrivilege	4304	taskmgr.exe
Token: SeDebugPrivilege	3824	firefox.exe
Token: 33	4304	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4304	taskmgr.exe
Token: SeDebugPrivilege	3824	firefox.exe
Token: SeDebugPrivilege	3824	firefox.exe
Token: SeDebugPrivilege	3824	firefox.exe
Token: SeDebugPrivilege	3384	MultiBit.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

firefox.exetaskmgr.exeMultiBit.exe

pid	process
3824	firefox.exe
3824	firefox.exe
3824	firefox.exe
3824	firefox.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
3384	MultiBit.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
3824	firefox.exe
3824	firefox.exe
3824	firefox.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe
4304	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3824 firefox.exe
3824 firefox.exe
3824 firefox.exe
3824 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 2912 wrote to memory of 3824	2912	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2408	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2408	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 2404	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 3732	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 3732	3824	firefox.exe	firefox.exe
PID 3824 wrote to memory of 3732	3824	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MultiBit.exe
"C:\Users\Admin\AppData\Local\Temp\MultiBit.exe"
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1048
2⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4936 -ip 4936
1⤵
PID:988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.0.1010046646\662674526" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cc15db8-b0d1-4091-896b-88cca58beb36} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 1932 2c2f0818358 gpu
3⤵
PID:2408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.1.2131957903\933435606" -parentBuildID 20221007134813 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {989879bb-2917-4ce7-a4c9-533a90063e18} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 2332 2c2e2872558 socket
3⤵
PID:2404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.2.187726328\1875989708" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2920 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {267ad72b-39c7-4643-89c0-cc2114569a21} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 3036 2c2f34f4b58 tab
3⤵
PID:3732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.3.497172631\1449185842" -childID 2 -isForBrowser -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd6f29b-781a-4d0d-8274-b0034fa6abd5} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 1256 2c2e2871358 tab
3⤵
PID:3860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.4.355243410\776029881" -childID 3 -isForBrowser -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc53cf24-5604-4fdb-84b7-a54fc67e6882} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 4152 2c2e285b258 tab
3⤵
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.7.628294272\1688061151" -childID 6 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f77b4cdf-8765-438f-8679-889add9f2d20} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5288 2c2f5d90958 tab
3⤵
PID:4868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.6.469811948\981301160" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db44d983-c0a3-4e68-8762-b22d2545c642} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5092 2c2f5d91258 tab
3⤵
PID:5036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.5.818198942\2095908554" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556b7282-7531-4413-8eea-ecc6015f36ab} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 4968 2c2f5d91558 tab
3⤵
PID:1732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.8.1416110400\1390769180" -childID 7 -isForBrowser -prefsHandle 4972 -prefMapHandle 4336 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96d1561d-889f-41e2-8b1c-0094a072cb5e} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5064 2c2e2869958 tab
3⤵
PID:5624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.9.484080135\1452361787" -childID 8 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf86ca5f-7a4e-4aaa-95d9-80a68aaba4bc} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5032 2c2f082cc58 tab
3⤵
PID:5632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.10.2109761942\234192150" -childID 9 -isForBrowser -prefsHandle 3032 -prefMapHandle 2884 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2173dc60-35a6-43a4-a764-12a33ddecc50} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 3192 2c2f3af8858 tab
3⤵
PID:1944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.11.434517830\578135106" -childID 10 -isForBrowser -prefsHandle 3700 -prefMapHandle 3688 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6fa085d-87f2-470d-aaa4-00ab27adf2c2} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5048 2c2e2862e58 tab
3⤵
PID:5384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.12.1260639621\2088488708" -childID 11 -isForBrowser -prefsHandle 5284 -prefMapHandle 4820 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {277d2620-0941-42be-9f1a-3d45cf00ad21} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 5048 2c2f6b62158 tab
3⤵
PID:5980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.13.1410953259\1435334581" -childID 12 -isForBrowser -prefsHandle 6172 -prefMapHandle 4796 -prefsLen 27371 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1e764e4-d760-4ffc-9f84-0f8ba02e1797} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 1444 2c2f7d4e258 tab
3⤵
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.14.155974343\2047009314" -childID 13 -isForBrowser -prefsHandle 6376 -prefMapHandle 6448 -prefsLen 27371 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a0e5ed-ca03-4ca1-8ab3-1393e58f049a} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 6460 2c2f7d4eb58 tab
3⤵
PID:2180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3824.15.268564542\969669309" -childID 14 -isForBrowser -prefsHandle 6604 -prefMapHandle 6608 -prefsLen 27371 -prefMapSize 232675 -jsInitHandle 1500 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd4490a6-d264-4227-8b77-40334d21c3f4} 3824 "\\.\pipe\gecko-crash-server-pipe.3824" 6680 2c2f7d51b58 tab
3⤵
PID:4668

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4692

C:\Users\Admin\Downloads\MultiBit\MultiBit\MultiBit.exe
"C:\Users\Admin\Downloads\MultiBit\MultiBit\MultiBit.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3384

C:\Users\Admin\AppData\Roaming\wServ64.exe
"C:\Users\Admin\AppData\Roaming\wServ64.exe"
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Roaming\wServ64.exe
"C:\Users\Admin\AppData\Roaming\wServ64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp
Filesize
139KB

MD5
52e41d9506112f680c8e337841584ee3

SHA1
3afa92382b039fc933c88ac46315145b125c89c4

SHA256
7f2ebbeafc08dd6ce7784ca2b8c5ad56397ac4eefd8cb4bcf7d8d6b36d7f5213

SHA512
020133e17b939c2c55f33a42b8745e714df190a28911afb535586f54e9cb7031e27168512c5bfe93bfdfa8aa20fcc6412934d5246230bed20d818ccfda8f935c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\thumbnails\484095df0c60a8cc4694a471eb9ea0d4.png
Filesize
53KB

MD5
21fb4b7d124fe45fe55cf946fccbc323

SHA1
6a2157a28cea7f34ea23524dfb3db2aacee753f7

SHA256
8cf12dda33b52e3566e97dede1e80bbdad7cb2627b67f82ba1bb5c4daaffc37f

SHA512
bc0a81f1154546409ba09a778ae7ddcc33c90db4055a5f6d5a4055e103e335220ecdeaac93ed0c04df88501380f4f6585dd6fd06e47fdee85abd61b28d15662e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_socket.pyd
Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\_socket.pyd
Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\base_library.zip
Filesize
1.7MB

MD5
948430bbba768d83a37fc725d7d31fbb

SHA1
e00d912fe85156f61fd8cd109d840d2d69b9629b

SHA256
65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

SHA512
aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\python311.dll
Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\python311.dll
Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\select.pyd
Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\select.pyd
Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
7KB

MD5
2117b706995f750cb784ea961f64806c

SHA1
277adda04ffa74f7211b34c7f3888ba72375d520

SHA256
e6af678e2c0962c68b47865c25d3a3faa7408746f9bdb8905db4f2501065ca8d

SHA512
c605da54f8bc7d540539a64dd788d5825ced3e8980ea6cc5daf25933eeced003565c3453dc6de7dc0639765b93526d52977a1a5d6440aaca3e1ed47d7c773a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
6KB

MD5
f4e583c327fb516ec5fd85fa5d1a0869

SHA1
80a1f6fa8f6fd587cd69fa3b188bbda974836527

SHA256
b9f322d9228ab49534ba71adeaebc8ed07fbc6501308591f9d92b813948b03fa

SHA512
07039558f69fe77c83d975d3fd70f6344108bfce7ee8546827fbd2b5c59124863da89b78bae57f55b1d3c7467be47fa586b08dc4a84301078e4eaff90a105d97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
6KB

MD5
8f49ae275821034a432cad3c5a26d0c4

SHA1
ce86fdac5afeaf1b53c90e4ac87957f3f8e62825

SHA256
8ec78a4c04a80319cb114dce5188ec607f371c93260f6efc94b3d8e6ea246a50

SHA512
9a74cb6415cc09b0aa8a50132b1cc59ca6ee3d758dec4d38dd7528cbfda19d327cac633f67da637de750f33b416d6b67d21c8422605541417c50ec4ade12e58e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
6KB

MD5
b2910ff85e44b9fed941508a86c1f4f4

SHA1
4a8888c48cad08cbf29db835b1f859487e30941e

SHA256
53e9014fb466a918c6ff2b7cf63505f2812865895a22be8f1dd63e140be9940f

SHA512
39f2be979d47b85ee7822a0696ea436679555d5354df6e0c6db3c50d40723b2a4fd266c9827e09e0325e2f103aafa3f2bc465a1e8de19d8f76fb568c7f723d38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
7KB

MD5
9f5f256942482dd50192ba628afbf273

SHA1
3face80ca5ffc641db2cd1e2345886aa6a221fe1

SHA256
0a9481bf2c555ac2a6b573199f847ea26040b0ad9d0165a08d9d79ae14c34596

SHA512
8f6c23d85f48a2695f1bfc1da6eb3e4c49ea7d7f7053f0c625a48e4c12f127d6e275007cda3249e7fe125b3431545fc2ac8ce72a884b154326f5d6ffc56c18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
7KB

MD5
12409d7d9662f91f4e4bd42643f813b3

SHA1
e5de22818e81d069cd93e6a88a0c71eb16696497

SHA256
459b8d2a5ed8ca53b4a36952ee2e27475fb012cc7fab4c6d1b67b0815a445bc5

SHA512
de48fc33184c6c53a36a038b000fdeb1a43769f4df6e3da5be54f532ff043dea1180da9ef67de29ae82c98e6e8e52825ed1b25fb5fd7311f7d8dc008fa0d603e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
Filesize
7KB

MD5
afe56c873d34ae9197d47c3602f0fb16

SHA1
1c881ab67e0f28883ebafbfdb264ca8c43f5742e

SHA256
07dc58c9d6614d35900f7df4b4a2aede80adfe0271572b349029ea7c46fe2a8f

SHA512
d95e68670a11cf405d2739f29144875d6a2efba13dba8279b6af4945baa18057ecc6a6044e14af10e3a0630f921750bc64ead87326b78f0156774aceaecc0c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js
Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
227b106c832997c2ac5ed46b116f1fe3

SHA1
f6e1c0164dab6f2648369cbe533a0eff1075ff0c

SHA256
6f30a7b5499d5b588a77e7216e1fd9576ec21f7b60a85c513c758ca8cd38211b

SHA512
6c8bb64927d3b1d500faa9533e6c4b6807b71b561587640001d77d5abc4cebc7c56b8adc3e24bf7ebe01204d70bfad744ba3e234c8386bea63072522402b87e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
221abea75b2990f64109f672ece63975

SHA1
f014a13147d99cef977f0359d43d548b53fba465

SHA256
b797140573bfdf6979b2744ff78feec3970c7656d830e00db3d24dfcaa915894

SHA512
6910a8bce4328305316890efa425bdf3ac0eec56b7d6faa499a8edacb2b9e3f21ecd4778cd0c80270e2fdeba58c59d95246301d42ed61bcff017a00e244fd77a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\storage\default\https+++new.bonebow.top\cache\morgue\217\{590fe154-d5ab-42d0-a438-403cc43377d9}.final
Filesize
1KB

MD5
551cb95062e71b367a162653786c883b

SHA1
96a452a715018b7a87d2594c6073fd3d2d44dc27

SHA256
c2026311f7a1f0bb6257aa4ec40e54bc256b6a96fa708e806a257563b6c543a2

SHA512
4541eb32afe95d66f8d651408065c968179883cf8b5e334b17d059a836983ac28d309869b7817f8d9a9ac15a416794e56bc6201039fade32169636209743b1db

Download Submit
C:\Users\Admin\AppData\Roaming\wServ64.exe
Filesize
6.7MB

MD5
0e2548bfd53e97af19e3af1d3f6b9238

SHA1
6eeaee1f8f7e0500217cc469c79e05995a75a45f

SHA256
e9f002045faeb02a458c4eedafb279c80c1d5c5cd8f5dcd58a8791a1cd18d744

SHA512
fc320101dfee1a7dafe1f5b3c7cdd8b3c104485f090e63d5cd8a2a3ac9bc4c362818f4dc56ce6ccf2dd07e92f7ed5cc27a654cec7eceda6ba67c1379cc958f60

Download Submit
C:\Users\Admin\AppData\Roaming\wServ64.exe
Filesize
6.7MB

MD5
0e2548bfd53e97af19e3af1d3f6b9238

SHA1
6eeaee1f8f7e0500217cc469c79e05995a75a45f

SHA256
e9f002045faeb02a458c4eedafb279c80c1d5c5cd8f5dcd58a8791a1cd18d744

SHA512
fc320101dfee1a7dafe1f5b3c7cdd8b3c104485f090e63d5cd8a2a3ac9bc4c362818f4dc56ce6ccf2dd07e92f7ed5cc27a654cec7eceda6ba67c1379cc958f60

Download Submit
C:\Users\Admin\AppData\Roaming\wServ64.exe
Filesize
6.7MB

MD5
0e2548bfd53e97af19e3af1d3f6b9238

SHA1
6eeaee1f8f7e0500217cc469c79e05995a75a45f

SHA256
e9f002045faeb02a458c4eedafb279c80c1d5c5cd8f5dcd58a8791a1cd18d744

SHA512
fc320101dfee1a7dafe1f5b3c7cdd8b3c104485f090e63d5cd8a2a3ac9bc4c362818f4dc56ce6ccf2dd07e92f7ed5cc27a654cec7eceda6ba67c1379cc958f60

Download Submit
C:\Users\Admin\AppData\Roaming\wServ64.exe
Filesize
6.7MB

MD5
0e2548bfd53e97af19e3af1d3f6b9238

SHA1
6eeaee1f8f7e0500217cc469c79e05995a75a45f

SHA256
e9f002045faeb02a458c4eedafb279c80c1d5c5cd8f5dcd58a8791a1cd18d744

SHA512
fc320101dfee1a7dafe1f5b3c7cdd8b3c104485f090e63d5cd8a2a3ac9bc4c362818f4dc56ce6ccf2dd07e92f7ed5cc27a654cec7eceda6ba67c1379cc958f60

Download Submit
C:\Users\Admin\Downloads\MultiBit.AnTgRjl0.zip.part
Filesize
15KB

MD5
1444a1d290544482663a54546084186f

SHA1
a48e99c3d64efdda3f655a4dc0e5ca0c62e1f5da

SHA256
1aaa3716930034ee4fd3fcb89f5db407e74b157e1497b41b1501d7818b87196c

SHA512
f1d70330f71cca99d51dab516818f13deb0a18fccb35357f5ded362aad17dfa9773c9e275e427d6f01ef8a283eae5918d78c2df69b30f38a93ba26a352d4a5a1

Download Submit
memory/3384-2410-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/3384-2441-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2581-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2411-0x00000000059E0000-0x00000000059EE000-memory.dmp

Filesize
56KB

Download
memory/3384-2417-0x0000000007610000-0x000000000775A000-memory.dmp

Filesize
1.3MB

Download
memory/3384-2428-0x0000000009960000-0x0000000009986000-memory.dmp

Filesize
152KB

Download
memory/3384-2439-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2440-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2580-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2442-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2579-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2578-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3384-2557-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4304-793-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-783-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-784-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-792-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-788-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-794-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-782-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-790-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-791-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4304-789-0x0000022709C90000-0x0000022709C91000-memory.dmp

Filesize
4KB

Download
memory/4936-137-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4936-134-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4936-135-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/4936-136-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4936-133-0x00000000007D0000-0x0000000000826000-memory.dmp

Filesize
344KB

Download