agenttesla | eeb14fae34a305b9bf24954715705b38bdb20f50d785383c0ab7d3ec4a28c1cf

Resubmissions

29-03-2024 14:27

240329-rss9jsba97

Analysis

max time kernel
235s
max time network
254s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246b78329cdef1989c4f27b411312162_JaffaCakes118.exe
Size

718KB
MD5

246b78329cdef1989c4f27b411312162
SHA1

b6ac11752aa87dbda5095f4906216dec11ec49ec
SHA256

eeb14fae34a305b9bf24954715705b38bdb20f50d785383c0ab7d3ec4a28c1cf
SHA512

3d12b5c1fbb70169a2c63cb8556deea1ff334ef1df1e6f302c87fc4e325a4aa9cb71cfdcbaccf173cfb9db25548ea92c63aa2eae561c9901e06fdc5c4d3508fe
SSDEEP

6144:Wyo3eVzVExarcrPrAKcrIzlakgN6w0lPvyN4EllRQi4thwrjoKfbcAG8l0qPmZOM:Wyo8LrCcIz/gN6L9vL66iGhiJJPI7U

Score

10^/10

agenttesla collection keylogger phishing spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.montarotul.es
Port:
587
Username:
[email protected]
Password:
mig5831

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Detected phishing page
phishing

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-199-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

246b78329cdef1989c4f27b411312162_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	246b78329cdef1989c4f27b411312162_JaffaCakes118.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 wtfismyip.com
98 wtfismyip.com
99 wtfismyip.com
96 wtfismyip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

246b78329cdef1989c4f27b411312162_JaffaCakes118.exe

description pid process target process

PID 2356 set thread context of 1992 2356 246b78329cdef1989c4f27b411312162_JaffaCakes118.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
97	wtfismyip.com
98	wtfismyip.com
99	wtfismyip.com
96	wtfismyip.com

description	pid	process	target process
PID 2356 set thread context of 1992	2356	246b78329cdef1989c4f27b411312162_JaffaCakes118.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5448 schtasks.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings firefox.exe

pid	process
5448	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

246b78329cdef1989c4f27b411312162_JaffaCakes118.exeRegSvcs.exe

pid	process
2356	246b78329cdef1989c4f27b411312162_JaffaCakes118.exe
2356	246b78329cdef1989c4f27b411312162_JaffaCakes118.exe
1992	RegSvcs.exe
1992	RegSvcs.exe
1992	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exeAUDIODG.EXE246b78329cdef1989c4f27b411312162_JaffaCakes118.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1636	firefox.exe
Token: SeDebugPrivilege	1636	firefox.exe
Token: 33	5616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5616	AUDIODG.EXE
Token: SeDebugPrivilege	2356	246b78329cdef1989c4f27b411312162_JaffaCakes118.exe
Token: SeDebugPrivilege	1992	RegSvcs.exe
Token: SeDebugPrivilege	1636	firefox.exe
Token: SeDebugPrivilege	1636	firefox.exe
Token: SeDebugPrivilege	1636	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe

pid process

1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
1636 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1636 firefox.exe

pid	process
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe

pid	process
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe

pid	process
1636	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 4848 wrote to memory of 1636	4848	firefox.exe	firefox.exe
PID 1636 wrote to memory of 412	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 412	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 560	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 3416	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 3416	1636	firefox.exe	firefox.exe
PID 1636 wrote to memory of 3416	1636	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\246b78329cdef1989c4f27b411312162_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\246b78329cdef1989c4f27b411312162_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PpvnCNf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EF.tmp"
2⤵
- Creates scheduled task(s)
PID:5448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.0.8007918\1159297448" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20671 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e28d479c-db0a-444d-bb1a-0e04d1226d81} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1920 1acc58d7858 gpu
3⤵
PID:412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.1.312206622\1830956859" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20707 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a193122-015e-4d60-85f9-a85810b5a63d} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2360 1acc55fb458 socket
3⤵
PID:560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.2.269323923\198483894" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3076 -prefsLen 20745 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa3ee4a-0fed-4ee2-a1a6-45f6f908f551} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2912 1acc979c358 tab
3⤵
PID:3416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.3.867308861\525868645" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 25988 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62db6a2f-5c9b-4d39-9926-853a43674fd8} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3552 1acc9d81358 tab
3⤵
PID:3948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.4.988112101\646649214" -childID 3 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40fac36-9c6e-495a-94b4-bbc7aef28fac} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 3828 1acca5c4858 tab
3⤵
PID:5152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.5.482875327\87748368" -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5076 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90b0a1e7-4fba-46f7-b250-9662f1bb50df} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5092 1acc7e94858 tab
3⤵
PID:5800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.6.1757192307\661622445" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05170d91-0c1e-4eb1-9fef-384bac524522} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5084 1accb6e1e58 tab
3⤵
PID:5808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.7.1588399138\796200251" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5400 -prefsLen 26047 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61fdab3f-502a-45de-b618-80455915e461} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5480 1accbe51258 tab
3⤵
PID:5816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.8.1648259172\751204996" -childID 7 -isForBrowser -prefsHandle 5964 -prefMapHandle 5944 -prefsLen 26206 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26dd4de4-f88f-4101-8488-de0692b04f0b} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5956 1acccfc7458 tab
3⤵
PID:5880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.9.2076256181\1772251666" -parentBuildID 20221007134813 -prefsHandle 5784 -prefMapHandle 5968 -prefsLen 26206 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {212e4650-75fc-4ecc-ab68-0ce44d55f245} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5972 1acccfc8358 rdd
3⤵
PID:488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.10.930673584\2077290800" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6132 -prefMapHandle 6072 -prefsLen 26206 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3729f88-c6b0-4b00-9d34-884b6c400ec6} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 6128 1accd0d3858 utility
3⤵
PID:416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.11.2069668035\1319235767" -childID 8 -isForBrowser -prefsHandle 6296 -prefMapHandle 6132 -prefsLen 27963 -prefMapSize 233414 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c763e2d-dd60-4042-9be1-fa2e57aae65f} 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 5856 1accb4fbd58 tab
3⤵
PID:6164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5064 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8
1⤵
PID:6228

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fa5e8a0843ea470b9fbf3602ac0336e5 /t 644 /p 1636
1⤵
PID:6152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\0D1990B16C98DB4A7854DD0B18B1B84F60D2D613
Filesize
10KB

MD5
048fab21203d88124f99e1625f5590da

SHA1
01a754588314854d9b60d57da7b655c416549a4b

SHA256
eb6c87809e160ca6a55c285a6aeaa2f3d49197616ae9ad408a66581cbf12a3e9

SHA512
467e0cdab0c7c07b11da7da925e483a23d5b4df8ddc1d299d5337574cf58bf1f4284bae0806ec09783cab8193c9157efed4a293c7b5faf7c1a978de5d9d430d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\2AD37D50561DE704776DC8383841AA3308059B1B
Filesize
147KB

MD5
3d415d7fde722241685068b0bd0896bb

SHA1
3027ec3ed9ae2b24ee3449719c4208c7a0d84f2b

SHA256
f4bdcdb5dfe86dee062aa306492276ef560fe75c5009148eef6e82aebbc5c755

SHA512
197e990acebeda39108b3637580d2961cc25277e9d999387e331fa002abfba30542e96e84d057c5bb554f9d15584b875a63b79cc1a28556a12ed810580513155

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\cache2\entries\DE23CF9E01AA6278843163311B343B07086E02FC
Filesize
207KB

MD5
cf6278d8f559e52da5e20291ceda335c

SHA1
921db96d4ba9e4778abc3eb9db416b98f38841ad

SHA256
7d50d141823ba04a35ae48952153e98155f5f9c21dbcbd26d7b8fee39fb9399c

SHA512
3eea35592f31b9f549f7399f5eb225a788e9016242c2dc656d58163d64b5eacab1fb0d33806a8c4781af02ef7ae4941169421e6a446150926eda56f5e0773e38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s7sufels.default-release\thumbnails\cc40259d4258e1951552a8316324267d.png
Filesize
80KB

MD5
3f4e4a3ef991ede37928454770c5d81b

SHA1
7c8708146bb8777e3d0ed5d74b5af1a201098653

SHA256
2d0bd3f38a1d47df6628788101a94e2e5097ecfd910a6b05ae80e970230195dd

SHA512
4785087a4c1dc4e1eebf951df7d34095c75ca055e05484bb6fd484fc6c0d168494a451c1508e2a22ea39b0a09b3252e6d5debf9b7974440037dff24e7285abce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EF.tmp
Filesize
1KB

MD5
7e3e93225523372a9b29ead0fe79291e

SHA1
19d69363e7e29adc8cb1a0fe4dfce1f3edce5f48

SHA256
8caa6ff44698bedc7004b77e8407406f1f1b6bdb086bd54686cbef9e45bc3349

SHA512
b213f3566f8caede35200473f2a090336799e5b29c337d1d0024bf1abb28c21a544921938cfdb433a906e7d20a709651a9bdc39103addb5531a78a92bea2e5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
f6cc7ad687d9cbf20e019bf54734d40a

SHA1
c430e96891987ae1c0a40915584933f1ccc91cdd

SHA256
e1af20b631a06d1ca6f89cc6916a082c5b026fac7522534869b754187213d064

SHA512
64843bf013044b3845a354408bb084a5e48f3c3406b0c1c879b8bda557c286cd0d8db92b86324192793be4e896662d335c18aa44a3f48ed726fbb71917136b08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\3adc6f1e-c95b-4f52-9b18-410aa8c06214
Filesize
746B

MD5
e59d7cd7042bcc7578f6a37a3ca570c2

SHA1
2239d6444cb7547a3b0a00d79fad92b0cbf93ec2

SHA256
d27b67f6473541cbafcebc881d2c076c4c5627b3369a1606ed39c5d8145036f8

SHA512
62498e8b2c481a34e4ae1129a91a4ed25b6c9a43c3685075128afcb1b31c50f6dd0d1050f65f7f47dc045bec06f854e8e5c9a96f41cfc2f8cdd246f065ee6e19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\a9ec9621-2768-4c1e-b3ba-7cc6626e05ac
Filesize
11KB

MD5
6c84afe3c9bc349b1f5ec97ba5d394c5

SHA1
252f4e63f30e8dcfb2a13830aadda667f674e81c

SHA256
5c1973d986a189d240de88b975091ffdc5d8ad2948f3da18ed1f0984033afd2a

SHA512
5959c49a577542576ef979c88e6b750abcbc0978db3776b26c9600d6d747b32e44941678d214bdfe9569eff9350044996cfee6dfc2cf3e35e7815647bfe193b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
Filesize
6KB

MD5
ffbb153fef27b1b722708847f52e3d1f

SHA1
700584d3a3178a4853029c07286161f3a20aa214

SHA256
90204ad697659b29d74094b21d91a7bd3cf311f448dfe2965fb7cdf811f4807e

SHA512
d9ceac00da15922d7ee0765bec7521613a31c454d72387f2153914969ec7ae3cf90f278465bce0dabd08ada3564498ae150d184645d46f4770c0b5498e589cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
Filesize
7KB

MD5
9db14e08990fe5337f226329aef3bce5

SHA1
ec711a62d2aa1c5dc5471684e0cdd43869969414

SHA256
45651b94cac6f2a871bec30d712484f4e47f2b8a41f87ffdd9b3848ec5f648f2

SHA512
db2c22d4b5ed49a078053ebf418e8574e41eecb1b3ce0d82618e2e130ad67988029d1847a01a24fdb1c8bda4c65d1d92a58a04096ff32a7346914ad5601dbad0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
Filesize
7KB

MD5
4923a0b863e28bff19ad5d7dea8f5283

SHA1
4f75846b175dc8937f3587cab6d3d0d1f4a5d7ff

SHA256
e89cc908afb666c5ea9b57da0478b1d442473d325eb890677df070ccee3abb85

SHA512
3609d4dc6b10661f4d5a40592a3a0ac0c9a0581579916200de0167b1cfe2a838e7ea744e34dfb22a8b1dc8d6976f789db3ef85920bea5c8b246a6f317a30b80d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
Filesize
6KB

MD5
188192d0a5867d22af3390da393a8061

SHA1
2fb54f5057a1d4f738ab8b38b851d89a60388a3d

SHA256
80bd6c0051aaf6b4324c3778ac1b91cb46022049bcf347c714940ac47efc5c05

SHA512
490c1e6831e210c6279c8add6b522e8c42fd0c08a865d7fbe752b9e736ca81b108416330b339849e42c589e74aaeb432655be9f2ffadcb7ac8881d4b5aeec21a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
Filesize
7KB

MD5
05e84e0906b4f5180b8c1c8a5a32d101

SHA1
c172c4a3717c087939f80682f6f614a4028ec6e3

SHA256
de17bd1f0da79f417e7f1f967c4dd0cba8643b4d59b3f09c49e8a59a762fe45a

SHA512
ab5fbd646b3d75d7b890dcebd7e90411a8142ee6b7f810c7e17a8392a8667088fec43e01e867af254739ee3e002c3e1a505c3ada55e82e7b08fcd88a01df09f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs.js
Filesize
5KB

MD5
d215cf7c324f1f89b7b8b7d2254791a7

SHA1
85f1c62b79684116cfcb7aa6a8a29fc3ad5582d7

SHA256
45e8010eae2f9346f63bc749bbfe12687da922a83539d10538f3cecfb6656376

SHA512
c5c6f0d5b52929052f2a7b9cac8d1e77bdbce095086830a1e0ecda4feee190c43d2f4afac2b0acd301105d947fcb303df3825a83084ce72f6ff7a5f63f471368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs.js
Filesize
7KB

MD5
0aa7b9cd9534e1c522f1d2939784da58

SHA1
f8486dc424500b5f6809945893542a3f709d93a9

SHA256
6314e7e5bc063bd138f88f7002feb9fb9378db7b5346c57bc6a84a7124b9f299

SHA512
55f4d2d61afa06ad7d1ed4a4367f1751fd1440c18ef69db3a1e05f41a13c4492b75c5fa35c9db36405267707e61ecc555772f6158b06cc6a1823bddb7f6954d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs.js
Filesize
5KB

MD5
a67f1ea7d56889a04d669bfaae1643f3

SHA1
2990444968d0835ba6d8cc389d53dd493b57f741

SHA256
61d4f76d424bf93cddef929de3d414bdbb7cb309154e4f5505baf221315483ce

SHA512
11d7165bdf9bf964b42e91a492ad31e5b5d8f4496332fe39bc77eaa3f2cc4b2c3f01f32d1876fac3788a1d3fe6b7f0332ec1ef2aaab0dbe7412371a683bb8e51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
33aa1042df7f8c3bf4d918a12bcc01a2

SHA1
323425a720a53cbbaf256b6b54b8ee7126871e20

SHA256
25dc5cd82074b636bfd5aebf4a66a092a3ca36f5d9d2a539310405e57570d76e

SHA512
e43cee1e394cdf9d0d3c58840aef5cd9ea0801a8ea79106058be41aa817f5e81b106dbc0988ee73870b90dd024e5618d7fa63df9ee951055652b963a01ecb888

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d9eafaad0a4567212fa689dedbd152fa

SHA1
1d81ccb7e074e437e804fca822a37b3b5ef67659

SHA256
93cdbf3d91177bc55fe8e5ef9e1041d6865982114ce81904733f8777aff4f452

SHA512
691c567aaa0a47b98ff635166d77abe2a5add6479addef792392263f80f3f281a948f99f6e41b5ae38ea2bfabca544f25f26e186338c1e62bf6088c8f4b6d6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b48db6e8dbdaa6c49c9538c1ad8ea43e

SHA1
215dc3f00c6511615fb43f812369bdc9ea95470d

SHA256
ea41b0b1d99c700b3e19e858ca0b07f2333b4fe0aeb66e8ff766a5700f4e9f26

SHA512
ddc1b33cd1950df5fa23ca02a39031bd2847a1fea237371884a44cd59e3ca57448d85de59a4d44a54a48acc658c2d528c27cf02232f5e790d592e7a32dfa3268

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
f0e89206b6ad3ae1f863a86251831cbc

SHA1
cb548e312d3607a7615eb9d61fc8a78fb6d42934

SHA256
3fa494fcc1e2c5ea4c5020e7e975746989cab75afc06a0119f1c0d1c6a61947b

SHA512
4d80c7fae9a0d8c8a879f66a5e30e8800e6cd7053cd63ab859f22a3fc9169f158d18a06abddc36a78777cbf24934efc8a745470687c805ca1b9c6e6f980bfecb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
5547d38b8c23ea82cd1e77cace5de35a

SHA1
8699ffbc9fc3263d34eb301cd50a2009d7c6344a

SHA256
e3842dac921ed8f3d2421ccbbe02f784c17aea5c10041416e6cd0062d1d23dcd

SHA512
46c0572dada1353460642b5764e831fff49b3319eea1e2baa747dfe0d689f75e870b81f3b1f8f7a3b9037affa6b33dcdf6dfa7721ba7538385416cc24c5be1c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b700b03e80560b4dc5a8138cbcd9b323

SHA1
359400549544257056e136db30ce5ea0d5847021

SHA256
aa14e3c6cd4150a77d5fccf8ad2d2d16b9776e483810c600ae84a8c7949ae9ca

SHA512
6425bc113d6bb94a1f9a254256ff8136cafc6242ad76daade387a5ec412935e7ba7d0a0066b1420142c6892647f6e18d82dcd36bebb9f856e5508f90ed9e12ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
94f342bd82d761a249c49950229c06d3

SHA1
e6f8468c23ac286b741c1c49654a6b6e75e2d6d6

SHA256
4778792e33db5a4d29c7d4d8395ad32a37c76d920ff67366c5dc2eb4c28a8361

SHA512
0a91e9a3238ac5b5f3b441aa8e4835a92233611a237cdc724ceccba617f3fd3257ad0d8cc31ecf4e2f9f2be1d3458855f70ef35424bcbad681f658ee27d43213

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
5b79a08720c45e6316462828cabc9511

SHA1
43593a76753d5e320edeeedf680baa2bc7b0a45c

SHA256
36f4e164dd40356a969c6180b5c1bc66d27b285194665189cf430f955afc1618

SHA512
9010f59e518ba94719c539dc8195b9766ffef7622a3f80a2b3c4d2ecb36f835927799f05d99420b1b35c52f3c24b8bf41df97409ef44a037c7464d7cc56e6415

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
2adcfe303fd5427e44776f20fa63f72b

SHA1
b0367a22dfd4b04fe612416e77ce986fca1dc268

SHA256
6df416632cc08abfc1f3e9837e8955a61d2b3f6f1ca50a1cf653f0ab043bdbb0

SHA512
723ad399fa1638d513ae824ac9d016d2155b8f2e356f27e07a8ecd9ebc25ffc0185ed31281473ff0fb13fe962013e4cdb0a051f9d1223d0c6eaa60872611dc95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a395c963cccc6368481391a8c9340c30

SHA1
995ab4ff9e008c7f46f14a8a8657e404d3f91e00

SHA256
facaa47a4efe52235e16eee0a66452ce2749ff5a14a03bc21abfd26bfe4b86e4

SHA512
08548bc971e45ddce67e0de7286b4da31a799244b5b4a05e63b1bc08e4c2f92523eae26c139d25f9fd5e7ce6d8a01b99c96205bcb1e243b35f74ec6c8590f3fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
989a8eb781e6310d5b6dd78cce453c09

SHA1
df5569aa91c8afe8715c34749400c7e21de47bbf

SHA256
3f0edd179d2ceb087212549564f7bb95ed48320e0120dc2a66067d52fb811b95

SHA512
a85125d39d3c0ce35c67fe363baea329be1113d9627c8ae1803ae252df818f62d87c48978eda10efd7aa98360f965be1f71a69d8d751bab140c9f4fa4fa95ac6

Download Submit
memory/1992-201-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1992-212-0x0000000005550000-0x0000000005568000-memory.dmp

Filesize
96KB

Download
memory/1992-229-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1992-203-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/1992-511-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/1992-230-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/1992-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-468-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/1992-459-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/1992-213-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2356-1-0x0000000000BA0000-0x0000000000C5A000-memory.dmp

Filesize
744KB

Download
memory/2356-0-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/2356-185-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2356-186-0x00000000070B0000-0x0000000007134000-memory.dmp

Filesize
528KB

Download
memory/2356-89-0x0000000001710000-0x0000000001724000-memory.dmp

Filesize
80KB

Download
memory/2356-187-0x0000000008230000-0x000000000826C000-memory.dmp

Filesize
240KB

Download
memory/2356-6-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/2356-5-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2356-202-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/2356-4-0x00000000056C0000-0x000000000575C000-memory.dmp

Filesize
624KB

Download
memory/2356-3-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/2356-2-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/2356-182-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download