44caliber | hxxps://pixeldrain[.]com/u/pTQAcqFT

Analysis

max time kernel
88s
max time network
86s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
14-02-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/pTQAcqFT

Score

10^/10

44caliber njrat umbral evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1207280118632816672/0IZfDvtoISIje6CJrXL_Q-d2-6He_gSbGz-bx0rHpv2QNeoScHFiZ4sukqDpuSEztgqw

Extracted

Family

umbral

https://discord.com/api/webhooks/1207297266575081502/8pNNw7XjV5x3NJruoh5DyQ0-4SAQCe6BhhIyIv91xDxVVGnGIhfAFyQBn7F9GYDazHOv

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/memory/4164-2175-0x00000000001F0000-0x00000000005C8000-memory.dmp	family_umbral
behavioral2/memory/4164-2177-0x00000000001F0000-0x00000000005C8000-memory.dmp	family_umbral
behavioral2/memory/4164-2214-0x00000000001F0000-0x00000000005C8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5648	netsh.exe
5404	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\857a36d144447cbe1b21c7d14a00d148.exe	Realtek_High_Defenition_Audio_Device.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\857a36d144447cbe1b21c7d14a00d148.exe	Realtek_High_Defenition_Audio_Device.exe

Executes dropped EXE 5 IoCs

pid	Process
4084	monjaro_executor.exe
3220	protected.exe
4164	stealer_umbral.exe
1848	stealer_44l.exe
5232	Realtek_High_Defenition_Audio_Device.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\857a36d144447cbe1b21c7d14a00d148 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtek_High_Defenition_Audio_Device.exe\" .."	Realtek_High_Defenition_Audio_Device.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\857a36d144447cbe1b21c7d14a00d148 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtek_High_Defenition_Audio_Device.exe\" .."	Realtek_High_Defenition_Audio_Device.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4164	stealer_umbral.exe
1848	stealer_44l.exe
3220	protected.exe
5232	Realtek_High_Defenition_Audio_Device.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4384	1848	WerFault.exe	86

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\monjaro_executor.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5752	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4164	stealer_umbral.exe
4164	stealer_umbral.exe
3220	protected.exe
3220	protected.exe
1848	stealer_44l.exe
1848	stealer_44l.exe
1848	stealer_44l.exe
1848	stealer_44l.exe
1848	stealer_44l.exe
1848	stealer_44l.exe
5232	Realtek_High_Defenition_Audio_Device.exe
5232	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	firefox.exe
Token: SeDebugPrivilege	4564	firefox.exe
Token: SeDebugPrivilege	1848	stealer_44l.exe
Token: SeDebugPrivilege	4164	stealer_umbral.exe
Token: SeIncreaseQuotaPrivilege	4980	wmic.exe
Token: SeSecurityPrivilege	4980	wmic.exe
Token: SeTakeOwnershipPrivilege	4980	wmic.exe
Token: SeLoadDriverPrivilege	4980	wmic.exe
Token: SeSystemProfilePrivilege	4980	wmic.exe
Token: SeSystemtimePrivilege	4980	wmic.exe
Token: SeProfSingleProcessPrivilege	4980	wmic.exe
Token: SeIncBasePriorityPrivilege	4980	wmic.exe
Token: SeCreatePagefilePrivilege	4980	wmic.exe
Token: SeBackupPrivilege	4980	wmic.exe
Token: SeRestorePrivilege	4980	wmic.exe
Token: SeShutdownPrivilege	4980	wmic.exe
Token: SeDebugPrivilege	4980	wmic.exe
Token: SeSystemEnvironmentPrivilege	4980	wmic.exe
Token: SeRemoteShutdownPrivilege	4980	wmic.exe
Token: SeUndockPrivilege	4980	wmic.exe
Token: SeManageVolumePrivilege	4980	wmic.exe
Token: SeImpersonatePrivilege	4980	wmic.exe
Token: 33	4980	wmic.exe
Token: 34	4980	wmic.exe
Token: 35	4980	wmic.exe
Token: 36	4980	wmic.exe
Token: SeIncreaseQuotaPrivilege	4980	wmic.exe
Token: SeSecurityPrivilege	4980	wmic.exe
Token: SeTakeOwnershipPrivilege	4980	wmic.exe
Token: SeLoadDriverPrivilege	4980	wmic.exe
Token: SeSystemProfilePrivilege	4980	wmic.exe
Token: SeSystemtimePrivilege	4980	wmic.exe
Token: SeProfSingleProcessPrivilege	4980	wmic.exe
Token: SeIncBasePriorityPrivilege	4980	wmic.exe
Token: SeCreatePagefilePrivilege	4980	wmic.exe
Token: SeBackupPrivilege	4980	wmic.exe
Token: SeRestorePrivilege	4980	wmic.exe
Token: SeShutdownPrivilege	4980	wmic.exe
Token: SeDebugPrivilege	4980	wmic.exe
Token: SeSystemEnvironmentPrivilege	4980	wmic.exe
Token: SeRemoteShutdownPrivilege	4980	wmic.exe
Token: SeUndockPrivilege	4980	wmic.exe
Token: SeManageVolumePrivilege	4980	wmic.exe
Token: SeImpersonatePrivilege	4980	wmic.exe
Token: 33	4980	wmic.exe
Token: 34	4980	wmic.exe
Token: 35	4980	wmic.exe
Token: 36	4980	wmic.exe
Token: SeDebugPrivilege	5232	Realtek_High_Defenition_Audio_Device.exe
Token: 33	5232	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	5232	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe
4564	firefox.exe
3220	protected.exe
4164	stealer_umbral.exe
1848	stealer_44l.exe
5232	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 196 wrote to memory of 4564	196	firefox.exe	74
PID 4564 wrote to memory of 1588	4564	firefox.exe	75
PID 4564 wrote to memory of 1588	4564	firefox.exe	75
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 4636	4564	firefox.exe	76
PID 4564 wrote to memory of 3752	4564	firefox.exe	77
PID 4564 wrote to memory of 3752	4564	firefox.exe	77
PID 4564 wrote to memory of 3752	4564	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://pixeldrain.com/u/pTQAcqFT"
1⤵
- Suspicious use of WriteProcessMemory
PID:196
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://pixeldrain.com/u/pTQAcqFT
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.0.183185924\124713691" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a23090-a295-40c9-939b-d923e07bc9f5} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 1776 1385b606458 gpu
    3⤵
    PID:1588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.1.1463521358\287665774" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43670dc9-699a-4eb5-baad-0bc4aacf8303} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 2152 1385a3fb958 socket
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.2.768749394\1722860503" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2984 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0ffd1d-b57f-43c2-aafe-4f6eb89b1f0a} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 2976 1385e2d1458 tab
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.3.1396396288\1077435870" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3500 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29901306-4853-42e1-8c9e-62cb4af62920} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 3520 1384f36ae58 tab
    3⤵
    PID:4308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.4.1450564440\2143839760" -childID 3 -isForBrowser -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b4dcd6-34f7-4ed5-bc1c-5e919e0ea214} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 4768 13861530858 tab
    3⤵
    PID:4040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.5.649353352\1841916402" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4884 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65dcfda1-cf9f-452e-b484-fedeec8c6f3d} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 4872 13861532358 tab
    3⤵
    PID:4208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4564.6.195331863\1966162084" -childID 5 -isForBrowser -prefsHandle 4872 -prefMapHandle 4968 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8dfa48-4437-4c9a-b261-9d4e385518fc} 4564 "\\.\pipe\gecko-crash-server-pipe.4564" 5160 138608d7658 tab
    3⤵
    PID:4284
- - C:\Users\Admin\Downloads\monjaro_executor.exe
    "C:\Users\Admin\Downloads\monjaro_executor.exe"
    3⤵
    - Executes dropped EXE
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\protected.exe
      "C:\Users\Admin\AppData\Local\Temp\protected.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5232
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" "Realtek_High_Defenition_Audio_Device.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:5404
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:5648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" & exit
        6⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 0
        7⤵
        Runs ping.exe
        
        PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1384
        5⤵
        Program crash
        
        PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4164
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\17933

Filesize
7KB

MD5
4ca154441214c2fea6115c32093333be

SHA1
991497c40535e2460817d1cfd47594ce6629246b

SHA256
4619e8263f291540fb93840c62d33a043ea0cfb39fa1dfb24830f75793c9559b

SHA512
caa0dae111b67f30ad557152303e04981f29c4ea4551a67332e54597d225227329d41bd84663a109983b0a4177e8c85dc74e7e988e1e572805f3640fd2e34223

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\18050

Filesize
7KB

MD5
54b1eecd8bdd804a6d3db6bc94c68e6a

SHA1
a25d014c1998460e7045b6b9575131c52bf29213

SHA256
d94e4002f8b74e267c8ef3a07ed85560896f7e109299474f058365098d0b8901

SHA512
b99a1bae799dd3dedac13ef7df98912385175b6cc6df934047f01bc72c3921bac1144bcd76d30d64689608d0270b03cb22acbf1a780da3b04079a3108f4c28ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\22284

Filesize
7KB

MD5
6451049960dde08f5109b1791742ec8a

SHA1
9aab38ca60d0c332285a5cf438c259d147bbd840

SHA256
d69bd85aeff9cb25292331617cb84d0a83c6b09b45cfa8fbcabaf1ee34250955

SHA512
d3eb0fc8e3b0f88ad02462b7339362624bb8dbfc99a7f03d601eab084ea2ff16c4b27c18d1ac5d051c5f7a0641e2185d2d840110dc71a777821f3cb8e23f989c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\23334

Filesize
7KB

MD5
1b24b22559b12d9bbf346ae96f54449f

SHA1
30ad8451ed74e4e3b1d0320440c04b6f769e7c64

SHA256
6ff45a125e28c8306120a7227c67dd5e5e360f25d46a68612ef88ba0331bf8f8

SHA512
de2d4d842cdaf0de53fdf4d6d2e7fb0d9d41370c504f4f68b7eda90dda2d311c8d78f58b5a4d75883282ca35cb8cd6f6eeb46bef1cb3ac5ae800ef713221faa0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\24366

Filesize
7KB

MD5
4f02b667015d96ff61ffeac701bf42a5

SHA1
4aed2196b128c7c15d88c8809c00dc0b32da3ed2

SHA256
e833e1c1ff98d179a5d5525d0a809c15678e2103e09a3c11cd0203f68753be34

SHA512
2fa28073e90dd21515611b7bfb1f9e1401069349707ae4b030f3865f278e26dd1f0d8e8f11bb7de47c55856a67931d4acc188962d688dfd3fa46951afad78ef6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\25190

Filesize
7KB

MD5
0186cf1ddaf04432183c884cb0bedcfb

SHA1
ad70e5aa5c01e8ef9fffb00ae82cd58951869e04

SHA256
3dcb8bd78b864001e10de08a29d320a99e97a3ac8584b63e6d5d0f4136807eab

SHA512
21d8362a692d87c7fd4407ca359d331073423be0e673e8e0d989b54961e744a2628d837f240191300454f14eb14a181edc8dfa312d2003342914467dc18b3260

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\27012

Filesize
7KB

MD5
af597eb84c7c18c62e54e8dabdf26b46

SHA1
55789638f6e1b47b6aba0b3e4347939ecfb6e868

SHA256
d19427472a2a71f3b1796c279ea289e12c10f38a127b747694be337623f030ae

SHA512
9b50164653d4a76c427317314bce01ee25db9e73b2823e0e316b26ec3b09ebe90fbb90a9df31186237d45c88071b6d36e1d038129fdb30223d8d4182a4d0c53a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\doomed\31100

Filesize
7KB

MD5
aed28f3a244df69f71e46ee47dd8581a

SHA1
7824f22a2dbcd77a8958b879def2a309477dc337

SHA256
b52b22b3a525a386aee5839687e2e330df54752b80c0c6b671033af090456186

SHA512
6fa48a3631aeed1c3eb42053d52b22deb35006e67ce5bc59729173aff5d217c65a002fb36c345823196b73b8314870d3509d80951fa0b51b096e80bf0534e25f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
68eefd87daf131bfcc6194bdd7f7826f

SHA1
cb5fa40022df61608b0f31c9de54fa7ed08dc5be

SHA256
fefc7497f98bec4d132e96e33f968e534430c3e5cf194dd10a91813e116aec54

SHA512
51c2330a13420b5ba1128087e57e6732c41ec2a6568a9e07e7627856e3f9f361b8ec0abf3e11072f8dea9d32dbef0e01c6875367856b43f139e1ae4fa4413a81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sx470w5j.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
8688de9e71ca5bc25ca5c22bea9fdfa3

SHA1
2fda8d5781e578178014e27be6c3127ffb22d8f4

SHA256
39ae9d222f561ad774122f88120b388d5c20fce1999e22c8404cdd42d0934e4d

SHA512
2752d9ced37e3008d885b1a3aba5951c3110031236aef63a44655a2e01321e895cd8adada1b2a953c6ef62e820d05a3df9d86cae931dd61e7942e6d07bf9898d

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe

Filesize
619KB

MD5
3308db5914e921c9344e4df9b3fd257a

SHA1
90100f9e935802ae111b7adc20bf69ea2ce516c1

SHA256
da27de51285230002412787802f43503d0fcb46e58ac72c5675e2b9a1b486a64

SHA512
0ad40cf756ee19f511ed1df07f5c939fd6ed7fdab6c2b4f42c7918b410471efedadf7b8dd36698cde3d49dd2295a5fad8ae2f0295b54d627a62daee71c79fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
726KB

MD5
4ce7fd13d30f25a2e4750414fdcbb5eb

SHA1
1d3c62a9b9be963f07987ca1f79c071cc3b4f355

SHA256
d03f651e517ad44df32d7d5f7940bd47f5cfa12ad1febbdc31efcc0ed72235bf

SHA512
83bc93e1f6126e674aac22bd63bccfb1282101133053470941953677b3c3f36801a0ff1f4cdf3610d786b97e7526def2ddbc67be9c0b5a1ee5618f9abee1528c

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe

Filesize
690KB

MD5
2f37907423cb7e2a0443262474adb919

SHA1
3f117bb93b6d81d4f3f926e0386d51595ecd3203

SHA256
b3a245cbe799ed0e369fea7c409774b1ace32405ccb7b31e0ffc25d4d1d84893

SHA512
f1e16b2343c4c5009cba10f4cf7f332955a1087b52df5ef4587641f828e344299c805094123571e6ddd2944e6e31a7ded5a05819e7fac401f909520c8d57aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e9e5e00f72a09b3d467aeff5f8323098

SHA1
4ddee98d4cd2548aebf95ffa55abd68c2b69f55d

SHA256
ca7cd3aeaa157e351c7ac158970d828044d9742bcd7be9c9a85fde78b859201f

SHA512
4879ba96a25e9f9317ef35b5af812ccae640887024cac3dd04cfa7a37303b1d44ee3ffd3280e6a3666795198cb1645d702f67db9674bd29a8c2c861d8b85e2e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\datareporting\glean\pending_pings\5010a08d-1417-4557-be02-724fd1ad2271

Filesize
746B

MD5
3202976fef217b9e3c099c14b6fe9860

SHA1
faef1d05350ddad326e5df4b59f85e8e3fdc6efa

SHA256
df19ad0c0ac874b0987b2c6232cf01f7902194afdb60e38fcc4714c891bf038f

SHA512
49f92a59f01602294f0c77c21d3257a00b6f37abbfc87963a3c03300b1c5c2f5b5b594d75b17ee94b3978ead9e7faaa09777f465e5ca78d031391e246a6ea8c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\datareporting\glean\pending_pings\b29f05f5-0fca-43c7-896b-d57a83f7562f

Filesize
11KB

MD5
6ec67ec57ff5f9a2c5a59e8811663e27

SHA1
f51a08c10f06277d674d7eadc26f469291ae3a61

SHA256
db1adf8b88fbac75e39eb50fd7ac3b8e409a1b07703da4ac841c149478282d7a

SHA512
efb3a408bd7064b4b60d2f6bef5ca3f3502bbaface2b30ca20bd1d0d89dc7f04d42f7ed3503f0d2a2f48a96b18d63941bacd67a4cc43fe684fa2ac0329986b65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\prefs-1.js

Filesize
7KB

MD5
21ad9e5103a1d2f9db06c92bd2e3642b

SHA1
3e94516d1de4e11b132f192d8bc632f4bf2878fd

SHA256
467352b08a6dfb60ae14c10421842c89dbf8d68a49d3e7733671fe23fbe07eb7

SHA512
9b1b35477c03c50d21c94508c036f02b323f2b176c88aa5e4c4e58ab12ea7bc5eb5ef2776329249673ac49c91c0781cd7c94a1681cd8ae87cbb49e5149841c96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\prefs-1.js

Filesize
6KB

MD5
23d0f41162e1ff4f3db2f1a94e3173e6

SHA1
7310bb5bf7d56c4f1ea0241dd497f42f195cae31

SHA256
263d23342c8895a71a48131ce6765de70591e2aeb18c91ebc09945169c70374d

SHA512
15a14f79b63a711ae46ef61703397ec124425c2bbe53b7ff67ed4dda77718edb7223a377d35d75a02b930bf4616d80cb61cf677c5d8e38b8f37d29009e65900b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
284599c06c8b8a3ee12eb58dc590c4ba

SHA1
1e56ca42f12c3172c5b44d913fa036467c107e3b

SHA256
cd72bf52561a7145bff24ed40f1927755b56d0cabbf804624f3cf72e9c736223

SHA512
92c8e6aa5ccc06004d3cacd8c41cbb36e495420373b232836fa9d7f7d70b1e48dd7b5c78a4db0bf2a20da74a7a8436bff33bfe28cf3fc29131948bf2385d116d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
21KB

MD5
d808ff20f8c22e1db1efd46c8b7b974a

SHA1
246d8fe4f432d58df64c786485848a27ca54a4f5

SHA256
e9b920f93c9262ecf791452e2a2bd23da54a0f7b79dcd32b90d720cc664cf433

SHA512
c8b865c19cbb1cdbb85952df155d4582f86bdb0373234b9a32d143befee81dcc104502294e40aecac49792f5ecd90e52c507e4dc443b9aa3a246c21e691ad482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.8MB

MD5
7f30c0b5ee415da8b6f3398c278e86a8

SHA1
2ebcf9d29812314307a0c94e77d152ccf46104ef

SHA256
1ea9638b4c228f16376597ffe8861f2abc3a94cebbee2fee04e785a2d3c5c73f

SHA512
4f7dde1d37a15a9f94cb4016f9d1b6e6222d76bfb5fcbe53a87734a8e95b5066d5e2ac6d78e120e5560ce28f212b14df28d2609c6c66780948cf8c5e3b7d8903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
898e6ef32c15794796a778c26b4506b1

SHA1
eb3cc3cfbb7b6a66d4a87f576ce64a818f1ae210

SHA256
f5d66f84e75f2c35a54365d8bc724f4d8fe325acb6d9dae0a56f9cf913500cdf

SHA512
5d8980bc75138093d097413957de0fae8e48869da218e63640555a0ad23d6ac9b664cad2c65a53100549c05a36431af305940e90b1163007b065350ec8ff9bf3

Download Submit
C:\Users\Admin\Downloads\monjaro_executor.MTWsMx7O.exe.part

Filesize
80KB

MD5
1bbf0cb3d43b530e0a99bc45d947ac95

SHA1
6cfad14e2b57f55f0229399e7eaa76a559a6f810

SHA256
bdf1c1b9733b2b6f42474bfac592fce54f9d44691e390f688fa4530ef6f1f776

SHA512
b54f4bd83dad46963e579fc6081809b876040a8d069b174f9eb274c02acc9b57dc77ad5131ad5a15e87bcd0be67b2a345b47203d8183b54e1a3d9b055807d4a9

Download Submit
C:\Users\Admin\Downloads\monjaro_executor.exe

Filesize
2.3MB

MD5
1dc9d40fccda86f9bc47a55030b55f28

SHA1
f2e5b1258c7d78b2b694ba290200b1c60171d5a8

SHA256
4e9f5b1643639ad760ab672a05f63c176ecc5175c0c1c39c04cdf32499cb4536

SHA512
539c93e3032878d90bb63b409c713ed1f74a8788532133ab549915bcf66e5e54beddf36382ff94692239fd91a5fede14a3b83cb47b33fd6efb7c27e7509e4058

Download Submit
\??\c:\users\admin\appdata\local\temp\71E53635

Filesize
14B

MD5
cade1ace9e852c3cd7389477da82cd68

SHA1
af02f76b17ad4b9bbfb26def6e2691d58fcf3e78

SHA256
9eb100d9c16747d8d98abc0d623bd06a7e91732cfc3e06c7d18655e25fb24e58

SHA512
e742a6070c5b4bc19663f17b69181ce5657dd5ded0b70b5c31b501007dfd998ae071d2e6b0667172103c2fbdf7356de75376fba26a096a3dae28eb562e78c44f

Download Submit
memory/1848-2173-0x0000000001160000-0x000000000154A000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2262-0x0000000001160000-0x000000000154A000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2276-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1848-2176-0x0000000001160000-0x000000000154A000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2174-0x0000000072660000-0x0000000072D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-2263-0x0000000072660000-0x0000000072D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-2167-0x0000000001160000-0x000000000154A000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2196-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3220-2232-0x0000000072D50000-0x0000000073300000-memory.dmp

Filesize
5.7MB

Download
memory/3220-2158-0x0000000000E00000-0x00000000011A8000-memory.dmp

Filesize
3.7MB

Download
memory/3220-2182-0x0000000072D50000-0x0000000073300000-memory.dmp

Filesize
5.7MB

Download
memory/3220-2180-0x00000000034D0000-0x00000000034E0000-memory.dmp

Filesize
64KB

Download
memory/3220-2228-0x0000000000E00000-0x00000000011A8000-memory.dmp

Filesize
3.7MB

Download
memory/4164-2215-0x0000000072660000-0x0000000072D4E000-memory.dmp

Filesize
6.9MB

Download
memory/4164-2205-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/4164-2177-0x00000000001F0000-0x00000000005C8000-memory.dmp

Filesize
3.8MB

Download
memory/4164-2191-0x0000000005EC0000-0x00000000063BE000-memory.dmp

Filesize
5.0MB

Download
memory/4164-2179-0x0000000072660000-0x0000000072D4E000-memory.dmp

Filesize
6.9MB

Download
memory/4164-2175-0x00000000001F0000-0x00000000005C8000-memory.dmp

Filesize
3.8MB

Download
memory/4164-2214-0x00000000001F0000-0x00000000005C8000-memory.dmp

Filesize
3.8MB

Download
memory/4164-2163-0x00000000001F0000-0x00000000005C8000-memory.dmp

Filesize
3.8MB

Download
memory/4164-2181-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/5232-2234-0x0000000072D50000-0x0000000073300000-memory.dmp

Filesize
5.7MB

Download
memory/5232-2225-0x0000000001260000-0x0000000001608000-memory.dmp

Filesize
3.7MB

Download
memory/5232-2265-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/5232-2231-0x0000000072D50000-0x0000000073300000-memory.dmp

Filesize
5.7MB

Download
memory/5232-2233-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/5232-2285-0x0000000072D50000-0x0000000073300000-memory.dmp

Filesize
5.7MB

Download
memory/5232-2286-0x0000000001260000-0x0000000001608000-memory.dmp

Filesize
3.7MB

Download