amadey | 25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c

Analysis

max time kernel
149s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15-07-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
Size

1.8MB
MD5

d6ea4c09b7fb98913ff57dc0844f9580
SHA1

363b0adb81f36295c281d3d2a26c2a7d618039b0
SHA256

25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c
SHA512

1485e92de0f3273fa09f02ebe15e36741ee86c384815b71095315d058531a27fff1ea052586fe2a7e716a19f3f92909031e89c7e0b8f77bc43075010f48ba1eb
SSDEEP

49152:HrGdFWX+x64TBxFBSvnczGm7kGXekCkc1:yTWX+xxfwcam4GJ+

Score

10^/10

amadey stealc 4dd39d funny discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

funny

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GHJKECAAAF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GHJKECAAAF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GHJKECAAAF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Executes dropped EXE 6 IoCs

pid	Process
5788	explorti.exe
2456	9036ee7c8e.exe
2836	4d7afc3516.exe
8	GHJKECAAAF.exe
2452	explorti.exe
432	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	GHJKECAAAF.exe
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	explorti.exe

Loads dropped DLL 2 IoCs

pid	Process
2456	9036ee7c8e.exe
2456	9036ee7c8e.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002aa81-42.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
5788	explorti.exe
2456	9036ee7c8e.exe
2456	9036ee7c8e.exe
8	GHJKECAAAF.exe
2452	explorti.exe
432	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9036ee7c8e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9036ee7c8e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
5788	explorti.exe
5788	explorti.exe
2456	9036ee7c8e.exe
2456	9036ee7c8e.exe
2456	9036ee7c8e.exe
2456	9036ee7c8e.exe
8	GHJKECAAAF.exe
8	GHJKECAAAF.exe
2452	explorti.exe
2452	explorti.exe
432	explorti.exe
432	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe
Token: SeDebugPrivilege	3304	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
3304	firefox.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe
2836	4d7afc3516.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2456	9036ee7c8e.exe
3304	firefox.exe
1092	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 5788	3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe	83
PID 3264 wrote to memory of 5788	3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe	83
PID 3264 wrote to memory of 5788	3264	25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe	83
PID 5788 wrote to memory of 2456	5788	explorti.exe	84
PID 5788 wrote to memory of 2456	5788	explorti.exe	84
PID 5788 wrote to memory of 2456	5788	explorti.exe	84
PID 5788 wrote to memory of 2836	5788	explorti.exe	85
PID 5788 wrote to memory of 2836	5788	explorti.exe	85
PID 5788 wrote to memory of 2836	5788	explorti.exe	85
PID 2836 wrote to memory of 1416	2836	4d7afc3516.exe	86
PID 2836 wrote to memory of 1416	2836	4d7afc3516.exe	86
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 1416 wrote to memory of 3304	1416	firefox.exe	89
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90
PID 3304 wrote to memory of 1688	3304	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe
"C:\Users\Admin\AppData\Local\Temp\25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\1000006001\9036ee7c8e.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\9036ee7c8e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJKECAAAF.exe"
      4⤵
      PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\GHJKECAAAF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GHJKECAAAF.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIDGCGCBF.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\1000011001\4d7afc3516.exe
    "C:\Users\Admin\AppData\Local\Temp\1000011001\4d7afc3516.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b558ba3-9071-4aba-ab80-4162be1f3af4} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" gpu
        6⤵
        
        PID:1688
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e0edd3b-3aba-4081-b1bc-1ef3d4f56543} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" socket
        6⤵
        
        PID:888
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 3268 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f5779e-e403-4204-87d9-70cd2a637614} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
        6⤵
        
        PID:2212
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 2488 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c61caaa-6214-40bf-99b6-b441314ab68d} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
        6⤵
        
        PID:5424
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28ab50ad-1489-4872-9259-187c8ab4ac6f} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" utility
        6⤵
        Checks processor information in registry
        
        PID:3200
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb6fce9c-77eb-4108-9674-336a3289f856} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
        6⤵
        
        PID:5224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {236f7087-401a-4df9-8191-2a4a69b2f289} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
        6⤵
        
        PID:2512
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bec5565-b1f1-4f86-b579-34ef8772d029} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" tab
        6⤵
        
        PID:5516

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
20KB

MD5
751fc8c8739b847594b90d02611fb2fc

SHA1
0f14f2c0096ee7548b1a9229be1ac78d3341c009

SHA256
bf0fac13b99d55aa8656da4997cdd728e82fff0e909b48782bc8c34977a510a0

SHA512
3033def83c11490067026e37c4e6853d1aa7e69d0a3386d63075b4ecd32841e6f303a9e8a540e5da27a8ca7346260d0000face51e82086d694d3891ca79fa29a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
de38e0d6184ef23989f35fc0ca9b5d59

SHA1
31b9f2704ade11071558a28cf83e16479e8bd20e

SHA256
10261aa47c6a7210b4d7f352836753ae14177c992fbf464ec5d401a171b6f455

SHA512
1419046110d83fb0dbd678909890ed11a4f9660b41810913a4e4d7481ed9e99639eb3ce3dc48f98a1127c8d686925baa938aa378df336be0c5e70923a2022653

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\9036ee7c8e.exe

Filesize
2.4MB

MD5
cdee5e5fc7ed717bfa4d6d70fa5ec427

SHA1
8c801d339f44014ba6be70075125aef1f713546c

SHA256
73df1d0543aa692075a501ab897892cbe0cbb20af53041e1997863bdafac3ba0

SHA512
c51cce67ad5558b348a6069c9a3250155ba1e4b26a2a28e77ed103e52cb5774c9df24f9a8401138090de13a40bf9713529cbd9fe893e7250abd6f0fb51fa9433

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\4d7afc3516.exe

Filesize
1.2MB

MD5
a32489ad4d6cfb510e49b8bc4cb32677

SHA1
d23caa9cf7f0a77c98607c9777274234dd24d3c0

SHA256
c72cc72cf587a47c054a7eaa6b511fe1fbe52d39b7a645176fbfec752bdf577b

SHA512
fdfdc15a91b2c0e1a979ca073f503cd05a761bf71b8dd6488d272aad6a3e8206561451f202ea03b20666af8eed7a93852ec00b47a0dc3102bec35596a0f80677

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
d6ea4c09b7fb98913ff57dc0844f9580

SHA1
363b0adb81f36295c281d3d2a26c2a7d618039b0

SHA256
25b4be6d78c9d58abded5f69147c7cdd8f9251b527bfeb7efc687832f7a9231c

SHA512
1485e92de0f3273fa09f02ebe15e36741ee86c384815b71095315d058531a27fff1ea052586fe2a7e716a19f3f92909031e89c7e0b8f77bc43075010f48ba1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
17KB

MD5
74c2cbe0cb82c96260b3ff8e5da6abbd

SHA1
064d3f4383f191c2ad15f9ef7b09e107ed735874

SHA256
9ddd47573d5a82a509f4dad04de90ac427c251dcb6943ecd4f1e905eaae73486

SHA512
f763c8e8640902f4949c1f9c6f01ec02a13d6d1493e9d778bf4c22af2bb3f550dec2b5a3d4e16f0dead741a2f7e61fd2073837cf939fcde621b6aca503d16bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
12KB

MD5
dea89d835b42d50291051f4cedd89fd4

SHA1
d994c39207deb53085c02fedecc0783409f1e7ea

SHA256
beb7c3b37e8df2d4fdfdb443655c743be818c01be23736eb068a3a97f1efec9c

SHA512
a9bbfefc1c0f878a2827a98aaa0081395a911facd0dca0b8a0223a2e8597d7a6e3c195d657d0338a83d92491668ddb5ab30000ad71388df1d34dafccc6942fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
e937cb3806bb777a9b288facd3951ffc

SHA1
3b4d7f92a772a75c51795c5c093ad3f3678fad2b

SHA256
7fa6d8c7b6c84c1f8169ca9a17b0f3c5da24f27ad4e1a8a3c4f4973182b4f661

SHA512
3231a5d6d752efa967b89a1153fe78ac2d2a15dd896e77e4105f11915f41b6c308e3f5c5a8f5a9e507ddcefce050d8a1283e8ee48a2964e18df824a0c7508b3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
2cc78f004ac24b97332ad9ae395f6e2c

SHA1
07b01a9a6bb7336e38fc87b46847934c8aa13d23

SHA256
eb43ff04f6977e4346c31ce81e31fced2b751cfacf3aa5a77d5b398a92fb2fd9

SHA512
897b9b7f40fc951e584bf7bd15092cfb60ffec1d0d7b78fad764b8365d9c95b2d978ec1e873774fe88118301ceb4277414861be3ec7bf56b2243675dc0d3887f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f78520deacbca57931c581c4e3c0c51f

SHA1
047a852fde4c92493317c7b3367bf77ada96521c

SHA256
04a7a33ae8bd0216ef04418025029ea245d868084d1010ed9c538a1a919faaf5

SHA512
99c7faa688a1c6620b41b4aaa94f98d4150c479e1d744ebb7550c3d9c845f05dee9d450055815404a4b587a11afd6e0c50ed59d6f93be19c1cfb3cd50913da55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a5331a827da510a3dbc7c90bcee91e20

SHA1
a76d6aed0b763b29749d6e2f86c6fceb3db3b40c

SHA256
ddb70e987544c44ffacb1b361ef493cc1963a1802e03b0620c2bf73e210ba03f

SHA512
fb9d49de3504c3d27bc710b0f4bdf38c5bcf27a995460850fb96865818847bfd9e37649c8523d2b833603d272815c37fd3e4458e40e1316d18ca2f88d102994a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\1e368c1d-4753-411d-89e2-308034327823

Filesize
671B

MD5
a16c1215afd05f6bf01ca2578f2018cf

SHA1
25b76b30a3115d8ce7ef032223f88656ad75a91e

SHA256
54b5dc56c0d3188ee65c2127099678800cd82a5cb87e739c2fbec4be53758e6b

SHA512
50f9648c44c51ae792f53ba2f270c099b3f36ed6cf41abcab3b48cf8563a896b96d3795332792d9a38b6b669f812a673d6a8cd2d6adb9f60619a65d575c20be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\7cf9b10c-fc2f-42af-8060-011f38b95e5a

Filesize
26KB

MD5
49ab91c69f52fd95af24ee3b3108cf2e

SHA1
a1b96df6d5240125ca6a028f8eeacc61814b5804

SHA256
1eaa67cd8dd6c76f0f0450360e36e0918ebd1b164237149c4ac63d21753286dd

SHA512
440c060dfb7adf80cfa2ba4e638be675a4886c63dcf3bb6d7942d92bf1c5262944493f839a617aa54e81929c67dac2ab6fc7ef83c0aa18f2c4c75d101a0890af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\b10c6d4f-fd0c-43df-93c3-ee4f307ab374

Filesize
982B

MD5
eb5c6fedefc4c29309fe26687ea2ab95

SHA1
f61cfd9bb96c1a8ec3c47008d91f9d3068b24aa9

SHA256
67560e520c55b74805014beca833482c9c9c82fd3671b285b66ce1297549ff75

SHA512
47b250052e512f4ec450f888bab4f3d2e883e3efb148b928304ec505958baf1845d96b1c78a76e8682e080ebf48a07e49ec3196431d1d12b07c3eb840dfa251a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
11KB

MD5
23f77388ea064d51af41b670b3463cb3

SHA1
083c4c9e70288ae336ccb81d5865468321215d09

SHA256
eb1b3ef684b6080e4bc0200609c41948d70589a5726e28facf72c2f4a3984d72

SHA512
b47553d2aa7c64c5bd003e4b82b8bcf7d4350cf3af39ff2ea74c27417ec3e8c8292681b00ddd45fb313d999ac0534418a5fd07bb6fed3e819d5a31b2c2fe654f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
11KB

MD5
3b1698d4a0fad70a672b69062d43b715

SHA1
a4041680126a619e072504ed67b9a0904c250a10

SHA256
59b81a6eb1e18740c030a456f6e90e15dc784da58fd94feb0cc58b0e57f23c2f

SHA512
489275d8de3c65f9203d7d5b4ccd72df6ce3f040396d5514d24bda7fcce285143e04f46fed1dd8c10c73aaa9c724b802aab20f0612300d24823d0e5b9fd14b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

Filesize
8KB

MD5
325b22095060972399387e9438c0bb2f

SHA1
4959a7d409957f1c4cd1728da2517ba0afa94e1c

SHA256
dd99b9b3f0baf2d366f80b4fcb56ec0f55bdf6352d5ccf9abfe9ffe96beceff3

SHA512
65756c7a452f3ac05c2acdeb7cffb007191a04e98980b4abb70c0a41ff5515e4b01fcbda147463034b23b0ac47a8f8b8319f7b6570647ffa8196ccc03097e920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
968KB

MD5
42f538ee0247f12ac896efffae811628

SHA1
1d2295bb64d6af08fe3b13b3decbf4c907c92973

SHA256
4c3f01d601ec35af4c108bb53abcdf4b71dcde11bdf1c9e51a74d0bd3da96afa

SHA512
a95be4a75bfd6e1e5989e7e9b3cb43a4aaf78cd22112395f18dcbb1d234ce77199d740af8c70cfbb0eec173678306ff2ea117ee7b5b4dfa171e02b548c71677e

Download Submit
memory/8-479-0x0000000000C00000-0x00000000010C5000-memory.dmp

Filesize
4.8MB

Download
memory/8-481-0x0000000000C00000-0x00000000010C5000-memory.dmp

Filesize
4.8MB

Download
memory/432-2631-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/432-2630-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/2452-2614-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/2452-2613-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/2456-474-0x0000000000F00000-0x0000000001AF4000-memory.dmp

Filesize
12.0MB

Download
memory/2456-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2456-37-0x0000000000F00000-0x0000000001AF4000-memory.dmp

Filesize
12.0MB

Download
memory/3264-0-0x0000000000700000-0x0000000000BC5000-memory.dmp

Filesize
4.8MB

Download
memory/3264-17-0x0000000000700000-0x0000000000BC5000-memory.dmp

Filesize
4.8MB

Download
memory/3264-5-0x0000000000700000-0x0000000000BC5000-memory.dmp

Filesize
4.8MB

Download
memory/3264-3-0x0000000000700000-0x0000000000BC5000-memory.dmp

Filesize
4.8MB

Download
memory/3264-2-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/3264-1-0x0000000077776000-0x0000000077778000-memory.dmp

Filesize
8KB

Download
memory/5788-490-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-505-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-500-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-499-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-1090-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2585-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-478-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-21-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2615-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2621-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-20-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2625-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2626-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2627-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2628-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-19-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

Filesize
184KB

Download
memory/5788-18-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2632-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2633-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download
memory/5788-2639-0x0000000000DE0000-0x00000000012A5000-memory.dmp

Filesize
4.8MB

Download