f26f9a618a04f3af4ddbc73d7dc278b603f159e33ebd72442b4aa1bfcfe1824b

Analysis

max time kernel
210s
max time network
218s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
23/02/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Teletubbies3.exe-Malware-main.zip
Size

1.7MB
MD5

57f5ebdea6b166d848b05f83eaf08580
SHA1

a244bddf2965c229ae45932f49617fdcaa1ffa6f
SHA256

f26f9a618a04f3af4ddbc73d7dc278b603f159e33ebd72442b4aa1bfcfe1824b
SHA512

33736e78c9e26765a879afe7507e082e11a754ef77812bef18817987c7f99e9b73d9204bc6c299e5cfd82e677298e25b288596f4669fb670a03c02a46ca34be1
SSDEEP

24576:dVgbZVgbSWrABV+Omwvuybaz0/zZv9JwslUJwslVa7GT1GFc7TdKSybBLjGYDVZR:dVGZVGymoayZReRQaccPQtBLjhpOG

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.jpg = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice\Hash = "XEOE5Q4ha4c="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8f7c9558e66da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\Hash = "/G1tNJ2Uj7o="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.htm = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice\Hash = "WB8F/V3TVgI="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.bmp = "1"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dea85f6b8e66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e17e015f8e66da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice\Hash = "jECf3/iUJz0="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.raw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.TS = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wdp = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.ADT = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice\Hash = "QMG2Lmmv5wQ="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\ProgId = "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice\Hash = "F9GQIvmvid0="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\Hash = "vBIvdTaTegg="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\Hash = "MHmsDn2DPvI="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.html = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3gpp = "1"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: 33	3784	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3784	SearchIndexer.exe
Token: SeDebugPrivilege	2312	firefox.exe
Token: SeDebugPrivilege	2312	firefox.exe
Token: SeDebugPrivilege	2312	firefox.exe
Token: SeDebugPrivilege	2312	firefox.exe
Token: SeDebugPrivilege	2312	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2312	firefox.exe
2312	firefox.exe
2312	firefox.exe
2312	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2312	firefox.exe
2312	firefox.exe
2312	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4984	3784	SearchIndexer.exe	79
PID 3784 wrote to memory of 4984	3784	SearchIndexer.exe	79
PID 3784 wrote to memory of 4956	3784	SearchIndexer.exe	80
PID 3784 wrote to memory of 4956	3784	SearchIndexer.exe	80
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2468 wrote to memory of 2312	2468	firefox.exe	83
PID 2312 wrote to memory of 4080	2312	firefox.exe	84
PID 2312 wrote to memory of 4080	2312	firefox.exe	84
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85
PID 2312 wrote to memory of 3132	2312	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Teletubbies3.exe-Malware-main.zip
1⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4984
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:4956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  PID:1388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.0.602731256\347097505" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b91838-9743-4a21-af27-9920a9a55a61} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 1796 2b187fba758 gpu
    3⤵
    PID:4080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.1.1429713644\358299206" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9266035-e0a5-4e46-8913-951697a22757} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 2148 2b187ef9b58 socket
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.2.1750164293\1920604123" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3551450a-a4c8-477e-b952-3f4ff1bb73b0} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 2964 2b18c199b58 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.3.648683753\1194568531" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84ba975d-5d23-4a43-934a-4e58c2a4793e} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 3512 2b18cf10b58 tab
    3⤵
    PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.4.735577653\1236581523" -childID 3 -isForBrowser -prefsHandle 4232 -prefMapHandle 4228 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b90d228-8691-4954-ba2a-507cf9f1d5be} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4248 2b18d7d6d58 tab
    3⤵
    PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.5.355656582\1673081703" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a64562f-e5ef-460b-811f-3655afce5d4e} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4820 2b18d7d5258 tab
    3⤵
    PID:68
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.7.469484910\187795076" -childID 6 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a0b05b0-07d5-4da9-8df6-8077cb6e042e} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4996 2b18e710b58 tab
    3⤵
    PID:4708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.6.121609\23198231" -childID 5 -isForBrowser -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51373b40-3b64-42ff-b590-28e031e88898} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4912 2b18e710858 tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.8.799387796\884571024" -parentBuildID 20221007134813 -prefsHandle 5552 -prefMapHandle 5148 -prefsLen 26249 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79ef4994-7fc8-4bd4-8f0f-fbdcc2a9b781} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5560 2b1905df358 rdd
    3⤵
    PID:448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.9.2098711861\2123451971" -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 5864 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4063ca34-539c-4a8b-85a1-63e6f9e15382} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 5812 2b1905dea58 tab
    3⤵
    PID:5316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.10.1086608909\977758575" -childID 8 -isForBrowser -prefsHandle 3976 -prefMapHandle 1564 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b5695c-3481-45b3-8630-63d812207754} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 3108 2b187efb358 tab
    3⤵
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.11.118503633\41871085" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {688b4415-f852-4b6e-893c-857b0dda1ae9} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 4736 2b190290b58 utility
    3⤵
    PID:4232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2312.12.1951326598\674993236" -childID 9 -isForBrowser -prefsHandle 6108 -prefMapHandle 6112 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05c0a795-ee1d-4a13-825a-1d13bb021f0f} 2312 "\\.\pipe\gecko-crash-server-pipe.2312" 6124 2b190292f58 tab
    3⤵
    PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp

Filesize
8KB

MD5
9cc04e037f1e407a25c05beb2ec5bd8d

SHA1
af5d4329758bd8ed1bd36c2c00e540897a00273e

SHA256
00212c74e16a0b99efd12daf9e4ac87de413a82ab30f3e05d66a36fcff2f1b67

SHA512
5d51bd80b4bd96e1f8a9d1a66ad429e2dce702d928b851a9a22338c25a57ff721c14278d90a7d1f33dffc63dfe52f46ad07bef8de0a527f501228ab39968f1a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cache2\doomed\18832

Filesize
10KB

MD5
37cf5534352a7de94619607686fb6bfa

SHA1
711d185b1e43762d8462dcc6a3649948cc707a3e

SHA256
fb5064689d40e5bf66b236794026327fe2400e39edd6750312a88ec06300e2f1

SHA512
87a1f6debe588c820ef1f9a4551035620599156f6b67fd4ed4ff819e65aa860e93a710b445fba9a20db2d8f6583a0d3785af62242bbf453994fb1bf22a4b94db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
4f52a9557958106dc3f72ea7928c21c2

SHA1
5ae045c7c3beb599bb5b327182f08d5e67e8fbf2

SHA256
9775eeeb0f710d2ff7fe82ed0cc76d3bf55c684c12931eb2c8a3feaf2fd21e05

SHA512
fce86d8ee91b475e4ed7256138f1f269041da25bc04ae4f116cee6dc0a44fa7169aa46d6c963c20d847d8a1fe9ba11bc998dddc0470b7d707d031d0bfbeae46e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\6371255a-49af-421d-bfca-72f1a04d53f0

Filesize
746B

MD5
5b326e29ba0ac3078e4352b35f9af76a

SHA1
0c7b1cfd8ed117c28633bb604a0aae3a42c32b55

SHA256
fa1f2644e05df1a22240249ca0c54058f1488f5e683b4c11bdb2dfc1232715ef

SHA512
912d894ee9363b8a31a32a8a9482ada547d1a5cd9cae7277b6ce1866c3c6ce07a868a771abdf661c66fd306c316dbdcf1038f1edf79a146c0cb37ef56b5ca56d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\b8e07c7c-66c7-47d0-a296-5df173cd92f1

Filesize
10KB

MD5
17aeedfe910530008328f2b626bb595c

SHA1
dea4536c5aa72ac1fb1b6835f826d3a3cb246f33

SHA256
a30a288000ad593eac93479a49c50a31a86ec4deb4e7e6020aece2f46e67b028

SHA512
a989949e441533f47b3fea9965b75fec818248f83402c1eb7d78e38782169d18abb1289e4c5b349b46ffa2cb78474b7ea0f59d162ac20f7d8e7657d51195b51f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

Filesize
6KB

MD5
dcfad69e24bb4f99c7e00d4bb6f830ae

SHA1
e495030a18301918e279217ac87463bf422d6f36

SHA256
cfd8e2fbc17a831cb8d7e5a6ee21486bc2331d7c64655d08c5c9af69d2101299

SHA512
680251a74429a0c93c4e5bc4970ca6a367c72afad9a450ac2e146aee4930d59b2b6c382bd81fc9e381800f8dbe728ab6e517b1c854bf2f1f94d0de1fe4012733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js

Filesize
6KB

MD5
418c7dadf365718f73d29d16b6cdc937

SHA1
f128d00d631cc25421b7ca149ce51eafc6e58a21

SHA256
5da8761249bbcede85e719ce8bcaca580d7d1edeef79ed1770bf3db5c968fda4

SHA512
987fc76d3ff8f6514e4a929f1ba1118f138cdc695a9fc7cc566f42ae1c8bbf46b8dd98def6edbabc7606a3dd7d9dff7e1b382582d7d011e8ec608b732f44ba2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs.js

Filesize
6KB

MD5
5543f88814b685a79366639852eea017

SHA1
7d889c8990b482403c6b7f17fa20fc546986504d

SHA256
662638434027ee7ffbe0a5d15360770a0de2f17b069fa17c3729fd5584189f62

SHA512
6bc6722c74dcd466cb24815e8d6f1a94161a6bd3f932e5ac1e0b8221e8cdc4f79896d2480b5df7a8182989b636ff6cb58751ed18708fdae0aeab7cbcdd35957c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
786e406d4da504647b2bce01b84ad7e3

SHA1
b805b1e62d06e15d3552574d1a40ffbc39c574aa

SHA256
8fc97837cb2d9762ee4bf4947ee4d41102f653e7098b69cb540122029d0641f8

SHA512
8def9ae6d73adfa02dc8c58e950a3a166ebf4e6982a5a07170dcd9aef40551b129becc3d00d3940ff243f11fff6fae10f463e20fd427d2c937987df4c909d0af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
3605a5f7c73816c7a31203eb9fc35633

SHA1
3085661114323b928667076b604327a8dd0eb90c

SHA256
7181f026bf1fd5ed83d3c26d26e1baef72514bd80b768256c786c7227f1df220

SHA512
2f9934e18c39d2e65e33407a45f0f89c6a4e9785362fdd8c0ba33c08154253a4a449ceb35ae88d0d5f87f57d6b3a20c7259d9794578858dc8e751b17c08c05e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
07133438f2b21cdeb7c353cdeee09422

SHA1
4fafbe06c1aacb550d999f393511ec491784fc08

SHA256
fbe057793aaf1d7dc4637854b2308dbdde5538569aee1626f2047d48cd7c5de1

SHA512
10690c5046ada422d2449f77671f47e4b06c2c0d4f485c863683865875a3525fa9bc65f957806a39e03b1252998dd83aeee849fc778fe86cee21e60f984ddaea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
c560b9fc9e7dd859c1c02bbe35ce23e9

SHA1
cd1f492aa124f7e4c0b35f9c72101e6d96e83524

SHA256
e64973e6fd6161214e66feda765cc2ac640a48fc30fba0792c71f9e30282c7cd

SHA512
7af98bd202ff97f1114ea773473524d06c06894ee7ade786985df36e73acc4f247403a04525ba6088bc45393af25f86ea388972f71963e299e766c252a07e5e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
630756e723942adb7ea2ee0339df685d

SHA1
eb13737a68c3958d5ffde3fbae0a61940b37ed9f

SHA256
7a1e4f514d1e23c94781313839f59704fe2999840101079f7b47783f015af5ef

SHA512
098f77b35c8028f30a91e74941cf3a1221836f86b21d3b0d78c0d0dc46542984014b9e0bdfebd74007e8709fa1a4da33356f00ca9d944c306a91221e3d91ac75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
16f272fcb28c4ed35e2f62d55c6b11fd

SHA1
f21887c1c5bfd60f44b48597a098a5b7d2ea32e8

SHA256
475043127214456ceddba0cb543c46027ee2d988a816eb94f7e7f937942e5f90

SHA512
b517ccd40db34f524b4b8beae52a674e4bbc3522d0195d990d4cc3ca39dca66553235a5f1628b409e59bea87fe4c3b7fbb0a3c503e5c9788bac12cf2122fcd17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
188efa26554911fa9a85b29cfde6f9b6

SHA1
2fa7b475901d3ace50ba59ede7c7e57d0def47b9

SHA256
c35c61bf8aaef50d76ef6df15e0ef107a1683d25efd0b8d60b31bf1e5be58a08

SHA512
4e067ec18d87c6865e7751c92e11fd3b13cac59d9af43fb52642cccd660e971844f4fd51071ccb72436a41b6a77c4b92ae23e4229ddfda4cb045a2854fe77e96

Download Submit
memory/3784-32-0x0000023D09E60000-0x0000023D09E68000-memory.dmp

Filesize
32KB

Download
memory/3784-16-0x0000023D059B0000-0x0000023D059C0000-memory.dmp

Filesize
64KB

Download
memory/3784-0-0x0000023D05800000-0x0000023D05810000-memory.dmp

Filesize
64KB

Download
memory/4956-479-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-507-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-58-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-62-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-65-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-66-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-68-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-67-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-61-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-60-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-59-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-69-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-70-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-71-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-72-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-75-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-76-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-77-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-79-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-78-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-82-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-83-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-86-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-89-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-88-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-87-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-85-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-84-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-93-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-54-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-51-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-49-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-50-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-95-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-101-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-107-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-119-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-123-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-48-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-478-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-480-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-486-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-482-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-488-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-490-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-499-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-504-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-55-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-511-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-514-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-517-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-521-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-526-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-527-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-523-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-535-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-542-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-543-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-545-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-47-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-556-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-560-0x000002A4F18D0000-0x000002A4F18E0000-memory.dmp

Filesize
64KB

Download
memory/4956-559-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-565-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-564-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-571-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-580-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-579-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-590-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-592-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-593-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-589-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-587-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-600-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-606-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-605-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-611-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-614-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-618-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-628-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-625-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-623-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-630-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-633-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-634-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-642-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-645-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-648-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-650-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-654-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-45-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-44-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-41-0x000002A4F0C30000-0x000002A4F0C40000-memory.dmp

Filesize
64KB

Download
memory/4956-39-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download
memory/4956-38-0x000002A4F0C00000-0x000002A4F0C10000-memory.dmp

Filesize
64KB

Download