Overview

overview

10

Static

static

3

68896184a0...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    741s
  • max time network
    737s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68896184a0a231f1b18342108f0d9489d452fe49054a694ab3c191a07ddc432f.exe

  • Size

    1.8MB

  • MD5

    f1911ac059309245915628965e4fdbfc

  • SHA1

    ae7156458b7ad36e0e5c57069383fb0728a811f7

  • SHA256

    68896184a0a231f1b18342108f0d9489d452fe49054a694ab3c191a07ddc432f

  • SHA512

    20eec5f655559129bc5dd5556e837e9aab8984dae5a7a45a427f1ed1878311c4826672b3f6a78185ff4f245851879984d42a94efd390b53eb203d2cfef806e88

  • SSDEEP

    49152:L6PX2tSZN/uBiZz2Wcgudz6uM+c+q4GlQP0H:L6PX2tSqBigFc+UlQc

Score
10/10
amadeyevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 30 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Identifies Wine through registry keys 2 TTPs 15 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\68896184a0a231f1b18342108f0d9489d452fe49054a694ab3c191a07ddc432f.exe
    "C:\Users\Admin\AppData\Local\Temp\68896184a0a231f1b18342108f0d9489d452fe49054a694ab3c191a07ddc432f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
              PID:3160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4956
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:544
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4536
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5056
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1248
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4732
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1360
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2280
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1800
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3292
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4400
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4736
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1012
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4120
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2164
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4796
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4884
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:936
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:760
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1616
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2212
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4452
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1044
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.0.563147075\998119421" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1acff7e7-3e36-41b5-a515-bffe9461ea6b} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 1980 1da789f1458 gpu
          3⤵
            PID:1408
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.1.2018463310\932822238" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f108ec92-d47c-48b1-9d55-6d5e3f3531e4} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 2380 1da6c072258 socket
            3⤵
            • Checks processor information in registry
            PID:3928
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.2.886678201\946346776" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3128 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52a8aa94-e0ec-42c9-8f58-1eec208cdbe9} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 2908 1da78958358 tab
            3⤵
              PID:5084
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.3.2006737368\491452975" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d7c2ab-5e22-48eb-ab0f-ff5ac8e3cf0f} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 3564 1da6c06a258 tab
              3⤵
                PID:4988
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.4.209079729\534141923" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f354eb0e-c257-4251-bdc9-0c1809240ac5} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 4340 1da7e975558 tab
                3⤵
                  PID:3696
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.5.862366122\339648286" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5a34710-1e69-453a-9e05-7621fc6c6376} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 5152 1da7ee81458 tab
                  3⤵
                    PID:3808
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.6.2059929378\1398691756" -childID 5 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ef25a7-bd7e-42ba-ab5b-16f813102967} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 5284 1da7ee82358 tab
                    3⤵
                      PID:4952
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.7.35353085\1525377625" -childID 6 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab00879d-33d7-4de3-a52a-08a8e1f68d39} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 5476 1da7ee82f58 tab
                      3⤵
                        PID:4260
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.8.1923616854\1794273063" -childID 7 -isForBrowser -prefsHandle 5536 -prefMapHandle 5940 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f47a620b-1ac1-4e3a-96a5-5b5088fe8cd7} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 5516 1da7b59a958 tab
                        3⤵
                          PID:2348
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.9.1723042359\1683303768" -childID 8 -isForBrowser -prefsHandle 6260 -prefMapHandle 6264 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10940be2-6323-4c0b-8486-974b92a7353a} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 6252 1da81174858 tab
                          3⤵
                            PID:3584
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.10.785712616\1144378812" -childID 9 -isForBrowser -prefsHandle 4420 -prefMapHandle 4408 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9630bf2f-2f1c-4916-a848-4be7fc2d11a6} 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 4580 1da6c05e858 tab
                            3⤵
                              PID:4808
                        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:2556
                        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:2844
                        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:1960
                        • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                          1⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:4188
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                            2⤵
                            • Loads dropped DLL
                            PID:5080
                            • C:\Windows\system32\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                              3⤵
                              • Blocklisted process makes network request
                              • Loads dropped DLL
                              PID:4056
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show profiles
                                4⤵
                                  PID:976
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
                                  4⤵
                                    PID:4480
                              • C:\Windows\SysWOW64\rundll32.exe
                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                2⤵
                                • Blocklisted process makes network request
                                • Loads dropped DLL
                                PID:224

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              3KB

                              MD5

                              fe3aab3ae544a134b68e881b82b70169

                              SHA1

                              926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

                              SHA256

                              bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

                              SHA512

                              3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              0ab20073a321ca2523d6dd6cbb83da81

                              SHA1

                              9234ff5e060df29dac50137e977bec97fa97d48c

                              SHA256

                              1ef7694af8566bf1edcb8b201037a4a5a8d13562274cdb21c659a1714d8e21a9

                              SHA512

                              70d1604e9b19b8d86833571829e8903d0f1afcb079d212f193bbe7f986e667ea7b770fabac8df2d14a79fc89892a3f91412b28a0efb0a5d2a5ae54687a7f393a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\92qyi9k9.default-release\cache2\doomed\18683
                              Filesize

                              22KB

                              MD5

                              d3a90fec5568439be8d6f88c7933b98c

                              SHA1

                              2305b6dd9a7dcbbb0c9763a26672e4f210dda627

                              SHA256

                              c4ad8c90202297e5017caa4998fd85770ecabd641387ff3cb5ec76e46c618646

                              SHA512

                              2ffa7a4d8e7cdc8d3ffc368cf30700b61d6864094176de66db4a109e17fcc5acfb4f1006ec1f1459a0aa0cfde17daffff1f7ffb5eb96c56bc19adccaae53c6ca

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                              Filesize

                              2KB

                              MD5

                              6ca528379e95ac41343a82448d308386

                              SHA1

                              a330e887c5628c5ac3b489c4eee0e90bd05cc932

                              SHA256

                              7bb46e71aa3938598e26fbf23198a026a9c864d212d8fcef359dd81edcabee4a

                              SHA512

                              96a9b917d8dcd8cf561bd176e4e1ca96a7766cd43a74f97c935c6f9123164393ad66541615c44301180625c80d98d8425094633a591ae975d52f4961dd504b15

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
                              Filesize

                              36KB

                              MD5

                              0e2a09c8b94747fa78ec836b5711c0c0

                              SHA1

                              92495421ad887f27f53784c470884802797025ad

                              SHA256

                              0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

                              SHA512

                              61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
                              Filesize

                              36KB

                              MD5

                              fb5f8866e1f4c9c1c7f4d377934ff4b2

                              SHA1

                              d0a329e387fb7bcba205364938417a67dbb4118a

                              SHA256

                              1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

                              SHA512

                              0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
                              Filesize

                              96B

                              MD5

                              2415f1b0b1e5150e9f1e871081fd1fad

                              SHA1

                              a79e4bfddc3daf75f059fda3547bd18282d993f7

                              SHA256

                              3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

                              SHA512

                              5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                              Filesize

                              1.8MB

                              MD5

                              f1911ac059309245915628965e4fdbfc

                              SHA1

                              ae7156458b7ad36e0e5c57069383fb0728a811f7

                              SHA256

                              68896184a0a231f1b18342108f0d9489d452fe49054a694ab3c191a07ddc432f

                              SHA512

                              20eec5f655559129bc5dd5556e837e9aab8984dae5a7a45a427f1ed1878311c4826672b3f6a78185ff4f245851879984d42a94efd390b53eb203d2cfef806e88

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip
                              Filesize

                              379KB

                              MD5

                              38541a5b9a3c06160ea6ec7eff714ce7

                              SHA1

                              00d7431e83515b4820135ee24eef830f97d131b7

                              SHA256

                              c63e854bdd6596f56dab38ec5a97c7db546e5e43bebdaa7ac0424616a2fed6b3

                              SHA512

                              bec4eb09ca2494830b31acffd4c89ca1d02a34a25081343036a60b354f314f6aef9b075ae8a04ea3594eb6c33d9ce6387cbf8121f1c480fac28330f5f34c50bb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\_Files_\AssertEdit.xls
                              Filesize

                              181KB

                              MD5

                              94f4e64f3de200fff5d56ec8572e267a

                              SHA1

                              8932bfdc1813c4effc21e05342c522583c4e459d

                              SHA256

                              103065128a3aed2e1320e69050881a861cea160a15eefd13d0b15bc71ecedaa0

                              SHA512

                              eb249a290c4416367e646556183c5d68d1113b2aa21a5b1ef33a3cfdfee623c443b6eeaa5410fb9730550346f2a510794b5c60b47996a6063fe0a0058a86637e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\_Files_\InvokeEnable.xls
                              Filesize

                              198KB

                              MD5

                              625475b1717abe1d737837a84a011f51

                              SHA1

                              a45db12a335da887eaa27f0c0b990db6523f7b76

                              SHA256

                              6640c867254067e47801c6fd03ab47a77ca73c1ccb3a6145e92c7ac7eced3fc0

                              SHA512

                              42492692cf789e5002440525855f1db9e0c3cb969b9cd1673e29d903435be68a9d11311277f2199b5a40fbd983c149a201e385dc7887a2dcc4ed14225857e41a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vc30lt4k.azf.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin
                              Filesize

                              2KB

                              MD5

                              f5f314ff3741ea22d112df0a2ddc647d

                              SHA1

                              c2b4855176d74bd57a84a3bad7eb05507eba522b

                              SHA256

                              9cf6d6866c1ab9caa5a8c97e64a1a1ed364f54d01a82d5816fa8f7f641a09e57

                              SHA512

                              c847d5836c347f7798c3a34a083e25457cbbb993842306200c1c48b36fb7f0c2585f5c3caeaba4eee1acc363baad26e04940c7caf9f7ee144b5ee15c0dc6189b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\54a62752-639a-4c0c-8474-eccb7887898b
                              Filesize

                              11KB

                              MD5

                              569922bcdcdc918b2d53c69fb809c3d7

                              SHA1

                              ea3f95bce75be3b76e046f154abce60ab68cc6f1

                              SHA256

                              90a931b563461d4ee5d145002444c909fc87db526bda7172360c4f9260b37ff5

                              SHA512

                              7cd32acf06b9402d43b98a02566ca2c9dd8e0c8e48fc3ec9bc454e69363f077925257372fff6bb31c280ff70bb1ca57b6824932342351403aa202d1ffa75a5a0

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\deec561a-ad9a-4d76-968f-12615e444da2
                              Filesize

                              746B

                              MD5

                              4734dfa492e7f5d661a0050bec02ff1c

                              SHA1

                              ef66394947a78db342ab321e67daf1d0c6293791

                              SHA256

                              86f1f6306a30db1ec4a683cf72a1ee3a684aacbd1c4ee9418c8177e0dad0195c

                              SHA512

                              1e7e0b2bc904bc9beda5e45b9cfe594f572ff1411708ad416b2d22c9fb50947bb1b32b2a2d639d055342caf933331de1a9b0f5ed52667c86241707e9292b5ae4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              ba28a26c3036548f475e34c68caebfd9

                              SHA1

                              98a092db5db1b106d6f213a04204462bced63615

                              SHA256

                              498928e836c2b187a5372a28f6a46078721591e515dc082527637ad1f289fd1b

                              SHA512

                              3990967a33ff3d0472bbcf632ad640c43bd8e32a59120b45e28ce3c7db04ce9ecc02a9c3de876db02239c0c7f5198b5244124175be13e17cb920e14f1e000ca2

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              5847fba0b2d2de593dcda9519db68b25

                              SHA1

                              d3dd1a6b75956ef37215a2bbbe63705213cd3524

                              SHA256

                              eaefefb1d4b4557a82ceb89491e41309b0391ee23612b813b8969d321d9751d4

                              SHA512

                              1a8a51705175927f801766e461d1197e733684ced8dd8132037512a4c29bafa38843121961b4462d5a775e0264420cab657f119316a6c2a6bcb233c51638d8e1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              7029d181ac870820a34394ebbf3436e5

                              SHA1

                              e100f470f021ab033c72c6134075ad84c2fef3c4

                              SHA256

                              ca8765c207ef331e0c0a65bff58f471aff6eeb19798cbaa16ef2b4445db92b09

                              SHA512

                              e3c85259f1c04047ba01f73f282d804da027349ccd2a87cade25873a974a733247a0b1f98863d6a53e474192e6db5649e45867272b8f27013e271d3730f65901

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              d10e21611d59a503bc1817908894dc04

                              SHA1

                              b81d66cac065ef55d53cc07eb6b81d467b23f005

                              SHA256

                              a6e8d6852be496c8bda9326fe44e2fce6b6c45d3bd029a53d11a3f69c4ed4565

                              SHA512

                              54ca2a8aa1f96ceb123abecc82be167c974a8f5b5b56e1cedff3a700bd6a98311567a26acb8027ca8f856b10ba5f10d5bed33866d1888079413b06c614ef7bbe

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              7f2a37f34d4f794c7a4900f506056ab3

                              SHA1

                              d1e46cf2dfa78424f6dd81a26f9239eb7697e341

                              SHA256

                              590e8e088faed2c585915aa5530d72038c3d279eec9191d270911d06a075dbbe

                              SHA512

                              025d21ac157f36f6044923422dd8a02425944c1d057c8c3ca86a27a13b2c2c1b1e5a21eb381dcb253125a4facf58e1bff62947e6ffdad73867a6f54e5e4e9c10

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              2KB

                              MD5

                              0db9c81ceaeeb823bf553434a727b600

                              SHA1

                              71fb7f09a56a979a88d0a9745b00bbe65fb486a3

                              SHA256

                              d0b0612838ac5fd62ef43d86f3a48819ad6526b36a25b6b3256a1439ac212d41

                              SHA512

                              7ad798cea449b8c8fa3dc355635273fcdee5471a259083d764320411a82392a01996c4c10404aa157f72198bc17539546bddfe92082b97874b9ab54da1947f5f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore.jsonlz4
                              Filesize

                              1KB

                              MD5

                              02c0885cf592d1ee1c7d824805a55f59

                              SHA1

                              29b63a048bfa47a52f46b749a5c5e19827d5690f

                              SHA256

                              420c955251c40046724f1a70226bafe1a80fdf0fa2297cf7aa41310056807b00

                              SHA512

                              848b2605610c5c4a25c67e0a5e0de4917260ad3946380dda874f6717e39e8f8a1956ee6ff9615d137e17e53763c38df00f0278a28ea3ccd9a38cd3771eaa99e9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\default\https+++www.virustotal.com\cache\morgue\28\{c8ee14b3-6b6e-4b41-b773-d6bcba42971c}.final
                              Filesize

                              47KB

                              MD5

                              839d36f6de22d26984e9de6bbb59b079

                              SHA1

                              2e92e3eec1fad1dd4d3eba6b859eb5a0a704d247

                              SHA256

                              0faff9722edccb4801560c37138a74cb77ecb47a3b7d4bbb40db517de59fe67c

                              SHA512

                              85c6810d73d94c2e9bd291fd5d0b8b480496d18d29fc61dbf6ba3564318d349d5baa81a2deee07ac3eb089302478d5b2bdfe95aa215a14abd4cde2159cec9f06

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                              Filesize

                              184KB

                              MD5

                              feacfeaa6370d0dd460a0609e1e1435e

                              SHA1

                              1463da69f34d0efa56e61d9dd55ac1f435237b5b

                              SHA256

                              d57b87db93a487d521c52be8e0d599fcfb17e8012f6066c303f4e48e92c3f439

                              SHA512

                              61097d4419f67e7b364a5f0f3a248d801e0bbff2283ffce8cb89a5d43309145288c20ce1a6620217c81256db7da81de7d184a0c7eb769ea237902a5abbe5782b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
                              Filesize

                              109KB

                              MD5

                              726cd06231883a159ec1ce28dd538699

                              SHA1

                              404897e6a133d255ad5a9c26ac6414d7134285a2

                              SHA256

                              12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                              SHA512

                              9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                              Filesize

                              167KB

                              MD5

                              b057dc9f7cea493aecf65b4776da1cc6

                              SHA1

                              7919bed264bc307011663e25729f54de1a7ac367

                              SHA256

                              712e412663d52bbdcaf570030e29b9da1e2bfe1df9488ae5eed563802f37625f

                              SHA512

                              2c56ee62fb1b0cefe9469f8787f3b8245ce30962872550faa478d2e3ef3bc9ab1eefd417f8c6f19ef7cdfcbd701d23854f2fd44dd351e2e4d74ee8f7b0b5064b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                              Filesize

                              1.2MB

                              MD5

                              15a42d3e4579da615a384c717ab2109b

                              SHA1

                              22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

                              SHA256

                              3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

                              SHA512

                              1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

                              Download Submit

                            • memory/544-23-0x0000000000EF0000-0x00000000013A4000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/544-10-0x0000000005630000-0x0000000005631000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-8-0x00000000055B0000-0x00000000055B1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-9-0x0000000005600000-0x0000000005601000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-5-0x00000000055C0000-0x00000000055C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-6-0x0000000005610000-0x0000000005611000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-1-0x0000000077844000-0x0000000077846000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/544-2-0x0000000000EF0000-0x00000000013A4000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/544-4-0x00000000055E0000-0x00000000055E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-11-0x0000000005620000-0x0000000005621000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-0-0x0000000000EF0000-0x00000000013A4000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/544-3-0x00000000055D0000-0x00000000055D1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/544-7-0x00000000055A0000-0x00000000055A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-120-0x0000000005620000-0x0000000005621000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-122-0x0000000005680000-0x0000000005681000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-114-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1248-123-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1248-119-0x0000000005690000-0x0000000005691000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-115-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1248-121-0x0000000005630000-0x0000000005631000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-117-0x0000000005660000-0x0000000005661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-118-0x0000000005640000-0x0000000005641000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1248-116-0x0000000005650000-0x0000000005651000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1360-159-0x000001E585290000-0x000001E5852B0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1360-157-0x000001E5852D0000-0x000001E5852F0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1360-161-0x000001E5858A0000-0x000001E5858C0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1800-200-0x000001531EEC0000-0x000001531EEE0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1800-204-0x000001531F290000-0x000001531F2B0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1800-202-0x000001531EE80000-0x000001531EEA0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/1924-48-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-353-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-24-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-25-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-27-0x0000000005790000-0x0000000005791000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-26-0x00000000057A0000-0x00000000057A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-28-0x00000000057D0000-0x00000000057D1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-29-0x0000000005760000-0x0000000005761000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-30-0x0000000005780000-0x0000000005781000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-110-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-111-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-112-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-31-0x0000000005770000-0x0000000005771000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-32-0x00000000057C0000-0x00000000057C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-86-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-33-0x00000000057F0000-0x00000000057F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-34-0x00000000057E0000-0x00000000057E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1924-370-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-369-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-246-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-358-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-357-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-124-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-125-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-356-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-355-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-354-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-245-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-49-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-47-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-46-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-171-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-247-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-248-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-249-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-250-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-342-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-341-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-340-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-260-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-261-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-339-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-231-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-232-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/1924-233-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2164-368-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/2280-184-0x0000014A95A50000-0x0000014A95A70000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/2280-181-0x0000014A95640000-0x0000014A95660000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/2280-179-0x0000014A95680000-0x0000014A956A0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/3292-220-0x0000028A1B890000-0x0000028A1B8B0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/3292-224-0x0000028A1BC60000-0x0000028A1BC80000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/3292-222-0x0000028A1B850000-0x0000028A1B870000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/4120-352-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4400-240-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-237-0x0000000004D60000-0x0000000004D61000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-243-0x0000000004D90000-0x0000000004D91000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-242-0x0000000004D40000-0x0000000004D41000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-241-0x0000000004D30000-0x0000000004D31000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-238-0x0000000004D70000-0x0000000004D71000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-235-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4400-239-0x0000000004D50000-0x0000000004D51000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4400-236-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4400-244-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4536-39-0x00000000058C0000-0x00000000058C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-38-0x00000000058B0000-0x00000000058B1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-45-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4536-44-0x00000000058E0000-0x00000000058E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-37-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4536-41-0x00000000058F0000-0x00000000058F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-40-0x00000000058A0000-0x00000000058A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-36-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4536-42-0x0000000005880000-0x0000000005881000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4536-43-0x0000000005890000-0x0000000005891000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4732-136-0x000001D3AB2E0000-0x000001D3AB300000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/4732-134-0x000001CBA9CC0000-0x000001CBA9CE0000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/4732-132-0x000001CBA9D00000-0x000001CBA9D20000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/4736-253-0x0000000005110000-0x0000000005111000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4736-252-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4736-255-0x0000000005130000-0x0000000005131000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4736-254-0x0000000005100000-0x0000000005101000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4736-259-0x0000000000EE0000-0x0000000001394000-memory.dmp

                              Filesize

                              4.7MB

                              Download

                            • memory/4956-74-0x000001EBA4150000-0x000001EBA4160000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4956-84-0x00007FFEE6600000-0x00007FFEE70C1000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4956-77-0x000001EBBE8E0000-0x000001EBBE8F2000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/4956-75-0x000001EBA4150000-0x000001EBA4160000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4956-73-0x00007FFEE6600000-0x00007FFEE70C1000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4956-63-0x000001EBBE410000-0x000001EBBE432000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/4956-76-0x000001EBA4150000-0x000001EBA4160000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4956-78-0x000001EBBE400000-0x000001EBBE40A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/5056-99-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-97-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-98-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-109-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-108-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-107-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-106-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-105-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-104-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5056-103-0x00000212FD720000-0x00000212FD721000-memory.dmp

                              Filesize

                              4KB

                              Download