df430e88e62b426b7c75ba29eb28eff3b77714999a28c6f9aa9172085f78cd3a

Analysis

max time kernel
51s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stremio+4.4.165.exe
Size

112.7MB
MD5

bb7ed7feaf8aebeb43ff9c376d0a8e22
SHA1

f0729b51043b8fb5edebddfd69c67c7b14ce01af
SHA256

df430e88e62b426b7c75ba29eb28eff3b77714999a28c6f9aa9172085f78cd3a
SHA512

9984643c76ddeb8bb612ec86187a0b7a835e0b5f369137ef5a453fd2cadc5ea0d0c6fad21deeb60af5cb09fd9b9ec25fb9e090d394be3c242b99de512bfde465
SSDEEP

3145728:+YdpqKUfzM8/I/6Uj2jDxXz8sGd1TiDlSdgSbc+cYO5NCO1JT1:1doK18wiucDZxG7TOlSKSI+0NCO191

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	stremio-runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	stremio-runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	stremio-runtime.exe

Executes dropped EXE 9 IoCs

pid	Process
3580	stremio.exe
3172	stremio-runtime.exe
4448	QtWebEngineProcess.exe
1476	QtWebEngineProcess.exe
404	ffprobe.exe
5104	stremio-runtime.exe
3508	ffprobe.exe
1740	stremio-runtime.exe
5092	ffprobe.exe

Loads dropped DLL 64 IoCs

pid	Process
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4440	3172	WerFault.exe	99
5004	5104	WerFault.exe	108
2536	1740	WerFault.exe	114

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,0"	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\open\command	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe \"%1\""	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\URL Protocol	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\DefaultIcon	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open\command	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\ = "BitTorrent file"	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\open	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\DefaultIcon	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\ = "URL:Stremio Protocol"	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent\stremio_backup	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\ = "URL:BitTorrent magnet"	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\URL Protocol	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\open\ = "Play with Stremio"	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\shell\ = "open"	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\stremio\shell\ = "open"	Stremio+4.4.165.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.torrent\ = "stremio"	Stremio+4.4.165.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c000000010000000400000000080000040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	QtWebEngineProcess.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3580	stremio.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
1504	Stremio+4.4.165.exe
4448	QtWebEngineProcess.exe
4448	QtWebEngineProcess.exe
1476	QtWebEngineProcess.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3580	stremio.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe
3580	stremio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3580	1504	Stremio+4.4.165.exe	97
PID 1504 wrote to memory of 3580	1504	Stremio+4.4.165.exe	97
PID 1504 wrote to memory of 3580	1504	Stremio+4.4.165.exe	97
PID 3580 wrote to memory of 3172	3580	stremio.exe	99
PID 3580 wrote to memory of 3172	3580	stremio.exe	99
PID 3580 wrote to memory of 3172	3580	stremio.exe	99
PID 3580 wrote to memory of 4448	3580	stremio.exe	101
PID 3580 wrote to memory of 4448	3580	stremio.exe	101
PID 3580 wrote to memory of 4448	3580	stremio.exe	101
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3580 wrote to memory of 1476	3580	stremio.exe	102
PID 3172 wrote to memory of 404	3172	stremio-runtime.exe	103
PID 3172 wrote to memory of 404	3172	stremio-runtime.exe	103
PID 3580 wrote to memory of 5104	3580	stremio.exe	108
PID 3580 wrote to memory of 5104	3580	stremio.exe	108
PID 3580 wrote to memory of 5104	3580	stremio.exe	108
PID 5104 wrote to memory of 3508	5104	stremio-runtime.exe	110
PID 5104 wrote to memory of 3508	5104	stremio-runtime.exe	110
PID 3580 wrote to memory of 1740	3580	stremio.exe	114
PID 3580 wrote to memory of 1740	3580	stremio.exe	114
PID 3580 wrote to memory of 1740	3580	stremio.exe	114
PID 1740 wrote to memory of 5092	1740	stremio-runtime.exe	116
PID 1740 wrote to memory of 5092	1740	stremio-runtime.exe	116

C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.165.exe
"C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.165.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe
  "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1088
      4⤵
      Program crash
      PID:4440
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
    "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=Stremio --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=3120 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:4448
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
    "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=renderer --autoplay-policy=no-user-gesture-required --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=2 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:3508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1100
      4⤵
      Program crash
      PID:5004
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1116
      4⤵
      Program crash
      PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3172 -ip 3172
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5104 -ip 5104
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1740 -ip 1740
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe

Filesize
49.1MB

MD5
58a451f04d8da2f547edf753fbe03fdf

SHA1
dfe60e0de8f4f892fdd5719d7b9657ad232f7414

SHA256
2a9d34c190c8c639c2817a371cd8ab6e5d8c8f5d0c45b8c72fbb1d9d4c1e9227

SHA512
0580068222d415ac6cb1f48a236ce425a57cf860cd802bfd31e76a296d269b8d4b9dd174d5d88552616ed7c99c1e758b23c4f69fa5f23c522f1f312f1a8d3ca6

Download Submit
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe

Filesize
300KB

MD5
aa366c09bf262e172741c9be289fcca1

SHA1
165a122c2aaf882f5ed76b3132e61f96006910e6

SHA256
3fa56731a29f0d9d901b7a158c1b05b2bb1354fd2dfb0dcd999e69039b23e280

SHA512
7ae09a2d53c0e8d481ca475af78c2548ccc823c77c65ea761d94da830f28b553661f5d3ee95a245a2838d0885e206ac13efb9cda08977eeba9f50eb19e877b0e

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\cf5990fa-a2ea-419d-983d-1b1334aff6fb\index-dir\temp-index

Filesize
72B

MD5
0f463955af778e92a94eebfd1e9d230c

SHA1
a71caaa137069106aee1a9f49293843b5f1f1a29

SHA256
c2b70f1be0c473e9be3fdfe5fc0f3f5f0e3c14e7e51e547420641ce8ae9fe080

SHA512
7f2ea63853cd093c1a30379fe5c7d18cfb56ee5e41e800324496dbcb4f3336528d004b17bbc594fc552ad969289473811b24b067384096e65fc6b27add6ab00c

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\cf5990fa-a2ea-419d-983d-1b1334aff6fb\index-dir\the-real-index~RFe5801c0.TMP

Filesize
48B

MD5
6672367cf1aea45de0189468f9f5530b

SHA1
c9ca6169bf2b84bb83e100f70d302fc703ed2ca3

SHA256
cac8edb389622644419c3d4421249479c0a01d1ca16224fe8b6d0de5396094bd

SHA512
978d671cff039eb51dbbea2e38c9620ad71f5f58c0f8d8d5f7e9656f241a252b11619feee43bdcad08bebf1e3e133f5f3f784b2334c3532d6fe8e8f63c1ede5e

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\index.txt

Filesize
106B

MD5
2c1a8fdb819cb95a03aceb443054f188

SHA1
d4c20f49643c5ae712ca58d1c31c58d1246500bf

SHA256
2bc69555117906df4ce5d01a304bd433eed9ee616814cfb4611acb87ef3985aa

SHA512
7d0c8d6039d7cd35e15a5e9cd29a507a090e7a05949f524161ac3293440aba0b9d4b574bbe92d82a3b1019e8be4d1c2177dc843db10c1e9b606951adcac8bae2

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\index.txt.tmp

Filesize
101B

MD5
9dc036a6c1e281f461ae4f0612da281f

SHA1
7facae9152c567f5b84559f68132dbc0c94cd725

SHA256
9b35c431e5ce0244157c5e32c642b0abb8208022d9477cf31d5cdde9fc9e07ba

SHA512
7acf3bdd20422a1c41979b6270e604ed20c265c023ee212271f45155059972cebb2d5be047599cf3fd267f6dcab7dbc30ee560bfd79afcfc126007c6d1ddb11f

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
444bd7ed93abc2af5e7dbd1a7cf43c53

SHA1
d5f8e097c5dd0b54a477f86129d2522276c47d13

SHA256
071d93abbf77891853b3ed1d1fd85904f2747d623e6f9aa4362faab55162a929

SHA512
876be08043074960f42df39ca60916e492803022fa636c6dd009aa86b6b6034048de113547955fb79088e92fbddc4c35254515bf8f4233386284684db6b1b4c3

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57fec3.TMP

Filesize
48B

MD5
04770fbe8c6cb382a90f059856f9b0ae

SHA1
c92a321dc09f67fd9351bbe07449d58b4cec3757

SHA256
9f788354b716669ceb6bfa1d6ceab2a11aabd2fd70fa5833fa8dc80338b7abd2

SHA512
8069a9676b2758eb361013612667f4d774ecd96dc958add271ac16e92f1b7fda453686be74ded27a8c9658c8e91bbff03971aa68c44c2e564d51224d9151a2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk53ED.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk53ED.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
memory/3580-4029-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4021-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-3993-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4011-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4010-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4009-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4044-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4043-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4042-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4045-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4046-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4041-0x000000000BEA0000-0x000000000BEA1000-memory.dmp

Filesize
4KB

Download
memory/3580-4039-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4038-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4037-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4036-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4035-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4034-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4033-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4032-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4031-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4030-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-3990-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/3580-4028-0x000000000BE90000-0x000000000BE91000-memory.dmp

Filesize
4KB

Download
memory/3580-4026-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4025-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4024-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4023-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4022-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-3991-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/3580-4020-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4019-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4018-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4017-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4016-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4015-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4014-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4013-0x000000000BE70000-0x000000000BE71000-memory.dmp

Filesize
4KB

Download
memory/3580-4012-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4007-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4006-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4005-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4004-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4003-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4002-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4001-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-4000-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3999-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3998-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3997-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3988-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/3580-3989-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/3580-3987-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/3580-3979-0x0000000004D50000-0x0000000004F50000-memory.dmp

Filesize
2.0MB

Download
memory/3580-3977-0x0000000004910000-0x0000000004D50000-memory.dmp

Filesize
4.2MB

Download
memory/3580-3976-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/3580-3996-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3995-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/3580-3994-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download