amadey | b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
23/07/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
Size

1.8MB
MD5

3ffa502d38a0841f54f2bb96f34eda85
SHA1

d152f8ac6b6c1ecb8f80b77f2182e6e42e43b731
SHA256

b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d
SHA512

5a4896936a85baab8e322618683ac72091d968253f2cab2227c7126365c07ae9ce3f19ab3f0a4f1d690773d7ad702b70da786f68e0c60058d2d59dc2f08a6dca
SSDEEP

49152:jGgRd+om5zN3V9dOjDMxzZeCCWWDa+DhBsxVbeCee:jXRd+T71eTuaMe

Score

10^/10

amadey stealc 4dd39d sila evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Executes dropped EXE 7 IoCs

pid	Process
4784	explorti.exe
3156	explorti.exe
3472	e70f7897f8.exe
1552	b2d48e9074.exe
1620	explorti.exe
1556	explorti.exe
5924	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Wine	explorti.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\e70f7897f8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021001\\e70f7897f8.exe"	explorti.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000100000002ab11-51.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
4784	explorti.exe
1620	explorti.exe
1556	explorti.exe
5924	explorti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 3156	4784	explorti.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4188	3472	WerFault.exe	84

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
4784	explorti.exe
4784	explorti.exe
1620	explorti.exe
1620	explorti.exe
1556	explorti.exe
1556	explorti.exe
5924	explorti.exe
5924	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe
Token: SeDebugPrivilege	820	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
1552	b2d48e9074.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
820	firefox.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe
1552	b2d48e9074.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
820	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 4784	420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe	82
PID 420 wrote to memory of 4784	420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe	82
PID 420 wrote to memory of 4784	420	b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe	82
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3156	4784	explorti.exe	83
PID 4784 wrote to memory of 3472	4784	explorti.exe	84
PID 4784 wrote to memory of 3472	4784	explorti.exe	84
PID 4784 wrote to memory of 3472	4784	explorti.exe	84
PID 4784 wrote to memory of 1552	4784	explorti.exe	88
PID 4784 wrote to memory of 1552	4784	explorti.exe	88
PID 4784 wrote to memory of 1552	4784	explorti.exe	88
PID 1552 wrote to memory of 1880	1552	b2d48e9074.exe	90
PID 1552 wrote to memory of 1880	1552	b2d48e9074.exe	90
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 1880 wrote to memory of 820	1880	firefox.exe	93
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94
PID 820 wrote to memory of 2536	820	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe
"C:\Users\Admin\AppData\Local\Temp\b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
    "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
    3⤵
    - Executes dropped EXE
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\1000021001\e70f7897f8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000021001\e70f7897f8.exe"
    3⤵
    - Executes dropped EXE
    PID:3472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1120
      4⤵
      Program crash
      PID:4188
- - C:\Users\Admin\AppData\Local\Temp\1000022001\b2d48e9074.exe
    "C:\Users\Admin\AppData\Local\Temp\1000022001\b2d48e9074.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1472 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24fc7c05-fb63-45f2-938d-d978ec2b9c43} 820 "\\.\pipe\gecko-crash-server-pipe.820" gpu
        6⤵
        
        PID:2536
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c3a0f4e-e844-463b-9c78-9f8f6bc08b74} 820 "\\.\pipe\gecko-crash-server-pipe.820" socket
        6⤵
        
        PID:2656
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2892 -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 3108 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11e8f428-4235-4066-893b-838931b0a9e6} 820 "\\.\pipe\gecko-crash-server-pipe.820" tab
        6⤵
        
        PID:1748
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24866d5f-49da-4dfc-be9d-88b01bd0dd1d} 820 "\\.\pipe\gecko-crash-server-pipe.820" tab
        6⤵
        
        PID:1416
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4712 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d22f59-1dca-43c2-af79-636c1589b020} 820 "\\.\pipe\gecko-crash-server-pipe.820" utility
        6⤵
        Checks processor information in registry
        
        PID:3112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 4572 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fbce82a-c329-41e8-a41c-b70fceac6f5a} 820 "\\.\pipe\gecko-crash-server-pipe.820" tab
        6⤵
        
        PID:6140
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61034d1d-03c3-479c-bf96-e40f59bac7ae} 820 "\\.\pipe\gecko-crash-server-pipe.820" tab
        6⤵
        
        PID:4688
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c733be-6765-4f79-b336-7d6ef07870c2} 820 "\\.\pipe\gecko-crash-server-pipe.820" tab
        6⤵
        
        PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3472 -ip 3472
1⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
8ec676b084a4785e1b8e4ae73f984fa5

SHA1
5e8f6a8f12e89cf5cd21ba8dab4541f995755bf3

SHA256
ca7510fd0f414e44216e1468e79bb24324053271997a90e4432379b2c3dc95a5

SHA512
79dbfd7a63c0d4756d105f29efdb37a09877391f5e75674e2d33fb9028f9c8055c2faebd6816db8d9f9eefe9afac9dbbb24ff075fc73f600f4fb0e182b60a737

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021001\e70f7897f8.exe

Filesize
318KB

MD5
ad5a4fda39e5b6baab5f6fef2bee3730

SHA1
a6773b310fd651152ca73f8c6b3be5a38fc71cdd

SHA256
c2643566b7886f6c16bc19e6eb804a7791bc713ae18b27f0d7fca938ca8f6817

SHA512
47354b4cb02b0b7ea8afff6661881022a2bb2d8feb83c756ec87b75bc3ab8f5874ff3508b824de8a187518d9ae320467b8c3575fa7f2e7fea1c8011d44430973

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\b2d48e9074.exe

Filesize
1.2MB

MD5
2e22ffc35badd6a848a2ea4ecc37940d

SHA1
e1a1b25dabc27b3cf54f6f01382c211d57c54453

SHA256
512bb87747812fdd189fcc63fa6886866cb811fd0ae1a46ed52201886aeef902

SHA512
f7bcf3434fac88fa9b46c086de0b978c342a2870a7e032a180fb930785ac9e7bb2fcecb20df245e3decf1be986fe53868621e5922c45ea95e4d27e1aa8cabf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
3ffa502d38a0841f54f2bb96f34eda85

SHA1
d152f8ac6b6c1ecb8f80b77f2182e6e42e43b731

SHA256
b1b0763774471a8d19f6a72fc61c1360cdbbb795ce2a0cc1cb42b4147c227e2d

SHA512
5a4896936a85baab8e322618683ac72091d968253f2cab2227c7126365c07ae9ce3f19ab3f0a4f1d690773d7ad702b70da786f68e0c60058d2d59dc2f08a6dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\AlternateServices.bin

Filesize
7KB

MD5
fe34918c37277fb85bde58ff20fec9b0

SHA1
de1413409c51dcbd1e964bdc43b9969cacbf8622

SHA256
7770ce9a02f5a23c7185d217873a891ee5bce8c53ae46ee32a77164c042e31f3

SHA512
92dbfcdd97daac3c491d037d4caa85c4453dd091271af040ff3153f1061bd751cd7bd9f9525ed3d60782334a7c93d204f75df7cf9d62a0adce0422790d57ab7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\AlternateServices.bin

Filesize
12KB

MD5
538f30acd87d22bdbca773c144d6149a

SHA1
11aa500f831c51ccb85a45549cb457f411dd22b8

SHA256
0bb3a4b48dd536648a78fa802f267a5a4aa704aa7d7eb7d33b003aaf7e1cee1d

SHA512
e68d1c8a47a7af799407290132e725bb87e22517bd66d69e0ac774c87124809d097d1a16c0e9f28b47113a4f3204ba501c645cf57f4db0109c257048dcee3930

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
84f02d582996e21edd15c14a5985af1a

SHA1
4aa398c2bbe79e60b8d3ef3386d405866f5d99ec

SHA256
73ea4651354e73e63454479b9bf127f7b5a5d8025d2972652bafdf2bc2a2380f

SHA512
96c361c4b9efa8116fcfe32c95bb502afe09487a3363e9e3a725db40f8f9f718ef610af4a2eed2d45e886086a743788fde81010feae071f5947828187886721d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8a980602260cae453ca5a2fc4b07d40e

SHA1
390e1b37429bd0bbdd1acdd40417e6dcf40d879d

SHA256
2b14d0c73f4b04b02361a654ece3aa516616ceaa61810dcc0575413b6d2c9c51

SHA512
75392a0fb749bd0e9b2d32c2337e5b8d518c46e3d4f29b8cd4f837196e29477c376f1c8979faa7ff3f8657448f15d9fac5664ce2a65d6a1ac1ed169617e591ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8fb76fbdf8a488f0439824b32d4a5fd1

SHA1
a88de2e7c706809ce5461283153c445f4b1a5bb6

SHA256
4fb9c508fb5cec0c8a5738188ce10d62924cfc1ecc9737beb1ebfff8d860fa78

SHA512
7f3bc859186a902847ace5df212837b5c6554bdd0097dc0cf7df26da56c047cc883d8d03cf6fdc3287f128cd2defa88aeb5404573e18a6f2002fc4fc1584b7af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
d1e67b4ce86f721c170620a5a7ced35c

SHA1
50f88ce45692424f082a66bed7244d5c9a81e100

SHA256
aa1706abbce757ad4243eeebfba157c53b8a23c37937ca40979070a62473ed44

SHA512
2aba8616a64598974af6402c8f7413b20520d9c6c57a3b617401c803477e0f1bb974b63e9c87395cf3e373e10c2bae76a6d2c17063af2c6561ea22fc8d96e3fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\134edc73-ea34-4440-bd20-24b709a2312e

Filesize
671B

MD5
b3ce5f89753a8c016f8abbdaf54973ee

SHA1
37d93b08808b1a63fc1d5f22672bf59d06837d70

SHA256
18733efb650da9b3b5d23ad1de663babcd43192863bc3e0afdde66e8da2e80c2

SHA512
1d54f51519d20b65d195cb14209ab17d2c90fec434cfdc5e4b6e59638fbc1e1f8728956fb9a8b2284cf9a6af9f5b83db3e21fad034f928603ba7a2ef78ed8dba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\91f2712d-0e75-48bb-9a64-8a42443a2215

Filesize
982B

MD5
31446f684c73da566321bf1c96544b6b

SHA1
7528d3dfb73a9f397cb4780b9058d1ff93b88dba

SHA256
da9e7d222916d8c1743191fb5867aa262bc4826bfa2d3e03309664a5394e5f52

SHA512
2e1119806781fd45789e9fcd22bba254f7aee6213c29737ed50b633db57df4ca823e2bd0ddbd15aafc68abe447f7845b5638070d2fd96140f3872223dd719267

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\a30f40c4-9294-4181-ae62-1f0046c9a2bb

Filesize
25KB

MD5
e43847988d58e3ea91c3553bc2dd75f6

SHA1
5fda2439f61b8da2be98dd24c422d329c9df573e

SHA256
47f8630760e9b556ac1d3899e57cee52718d70c20cb0abaaee7ec8ae0d2976bd

SHA512
2496f178b0289b5ed14807e217e554992718aac037584928f15093749511ebf3ecab001a597327cbe6dfcee925263f34def3bd7502c52df25dca7738f4625e43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

Filesize
15KB

MD5
92a8840566f8e4780c597b2702f44093

SHA1
d5eb3e13ea59e16a06b5534b19f0a831609c75c5

SHA256
21fa5947c0190fa6f1b17199b914c8a62d9c99ddb32501a159e8fe1dbab37f2c

SHA512
42dec479ea18b6d52f7ab787e122bcc6b0a0006bbfdad5f9f59c142d136c215f4260c2b08332bde79caa36f1899c79f498faf99a80c992b37858f178933888f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

Filesize
11KB

MD5
123246c50cd580bfeded8f7a9172d164

SHA1
76fbaa91984fb359a7cbfa40b63e4d0bd9a3f5e4

SHA256
f6dab45d6542571909084ef5eaf9bb8e32d41cf150218e8ac0f4a1757b3e212d

SHA512
1c3059a6b8161165d9b4608973a4e1deb437450dc9af2556bb3ec2eb59c94c42ddbde70fae819f6ac4f7ce1baf84c609f5886f68e215370cbe59d89c42682b1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

Filesize
11KB

MD5
7e36865bee461b3526af2966df006f05

SHA1
e7654d02dec92c26c090fd5d3720dcf66ea7ca02

SHA256
f414c5041881aa2e42099f075a3fc44db44fd0ffb092cb1dc6c3bfdd4c49c313

SHA512
315735f71f8551ed1461be948e388e5e364fb5fefd8b2afb3854cb9485ca1c9faddcd8d6a9ea51e00e9fec226e4579ad1bf4f1f29e22285a9b66d68e7121c9b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs.js

Filesize
15KB

MD5
cb8c88f5dd9afb64bba101f02ce454bd

SHA1
660c970d337ce5ae2e80bd17996b4e66c0397969

SHA256
5f4b5b7a8d3469c98272b3d77a27577a22e8c81e79ee1b3a08cb02da3c06a67a

SHA512
f25591dda871bbef2f234534f27f2f8005d71a7341fc67177a3b3db365e9a4e9eb3f92eb194ae961bb422d58f24579d88697946e1a11a016f32b0eb952943e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs.js

Filesize
8KB

MD5
8e0978ead19cfecc30642ccbcb4f5150

SHA1
55ecdad14314e1b026cb4156717ea15c6f224079

SHA256
13c73ecf08ac4f7e2d0a82ba95283f79b5465c70c768034006b8dc577cb919b1

SHA512
a9d0e4c16e7beadb2714b5506a3de5484a399f79c7dd4f3c1f429a5bbad33d1dbc225d7dfbd586d2ea5d85d575c15102030ad48c7f00cf9e00392beaaee9678c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.8MB

MD5
18c776e1366c3fcea0cf5cc04df01ccb

SHA1
027f532121b7bd9d97b25f9b2c853e86bc29577a

SHA256
1661379c0ab900e9a5a87ee7ea113c5f13b838772183c701ae18eb89558e200e

SHA512
d7996660519145fa15a84b0da950d76aaa57ba0625690c394cf73ed1f16c10a884baee9681e1c8f740c72209f19c0ceca15f2640fee12c3e2832ab4b47159fda

Download Submit
memory/420-1-0x0000000077D06000-0x0000000077D08000-memory.dmp

Filesize
8KB

Download
memory/420-0-0x0000000000AC0000-0x0000000000F5C000-memory.dmp

Filesize
4.6MB

Download
memory/420-2-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

Filesize
184KB

Download
memory/420-3-0x0000000000AC0000-0x0000000000F5C000-memory.dmp

Filesize
4.6MB

Download
memory/420-5-0x0000000000AC0000-0x0000000000F5C000-memory.dmp

Filesize
4.6MB

Download
memory/420-17-0x0000000000AC0000-0x0000000000F5C000-memory.dmp

Filesize
4.6MB

Download
memory/1556-2629-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/1556-2620-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/1620-66-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/1620-67-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/3156-24-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3156-27-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3156-28-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/3472-45-0x0000000000400000-0x0000000002469000-memory.dmp

Filesize
32.4MB

Download
memory/4784-2326-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-20-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-405-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-396-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-68-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-46-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-21-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-19-0x0000000000FD1000-0x0000000000FFF000-memory.dmp

Filesize
184KB

Download
memory/4784-726-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-18-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-431-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-436-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-1248-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2630-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2634-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2635-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2636-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2637-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2638-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2643-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/5924-2642-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download
memory/5924-2640-0x0000000000FD0000-0x000000000146C000-memory.dmp

Filesize
4.6MB

Download