amadey | 4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
27-07-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
Size

1.8MB
MD5

b045977f163ae6cd38499d59fe29fa96
SHA1

877a5b6f46b632c3c476042e92772c78e0e08de1
SHA256

4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374
SHA512

92d4e67368218d627d4ce51beb9ec6a9ba6df871de244db35306488c24f1273500984f0735b64502a245a3572a98bb472d1a6c1b35d6460815c81fcc4e6a2bd0
SSDEEP

49152:CPVykn7w6S1dNFoonFmpEK5A1yT6xBQNB49oUQ7:fknq1LaEmyB1S6xB2BzU

Score

10^/10

amadey stealc 0657d1 sila discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	explorti.exe
5080	71e26e6bac.exe
2392	7c6ab9ad2a.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\71e26e6bac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\71e26e6bac.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c6ab9ad2a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017001\\7c6ab9ad2a.exe"	explorti.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2392-391-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-409-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-416-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-417-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-1081-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2126-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2575-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2582-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2585-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2587-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2589-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2591-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2593-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2603-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe
behavioral2/memory/2392-2606-0x0000000000FB0000-0x0000000001A8A000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
2944	explorti.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4396	5080	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71e26e6bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c6ab9ad2a.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
2944	explorti.exe
2944	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	3176	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
2392	7c6ab9ad2a.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe
2392	7c6ab9ad2a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2392	7c6ab9ad2a.exe
3176	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2944	572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe	82
PID 572 wrote to memory of 2944	572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe	82
PID 572 wrote to memory of 2944	572	4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe	82
PID 2944 wrote to memory of 5080	2944	explorti.exe	83
PID 2944 wrote to memory of 5080	2944	explorti.exe	83
PID 2944 wrote to memory of 5080	2944	explorti.exe	83
PID 2944 wrote to memory of 2392	2944	explorti.exe	86
PID 2944 wrote to memory of 2392	2944	explorti.exe	86
PID 2944 wrote to memory of 2392	2944	explorti.exe	86
PID 2392 wrote to memory of 2640	2392	7c6ab9ad2a.exe	88
PID 2392 wrote to memory of 2640	2392	7c6ab9ad2a.exe	88
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 2640 wrote to memory of 3176	2640	firefox.exe	91
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92
PID 3176 wrote to memory of 2484	3176	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe
"C:\Users\Admin\AppData\Local\Temp\4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\1000016001\71e26e6bac.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\71e26e6bac.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1228
      4⤵
      Program crash
      PID:4396
- - C:\Users\Admin\AppData\Local\Temp\1000017001\7c6ab9ad2a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\7c6ab9ad2a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc780f78-68bf-4264-9f99-0463f4179061} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" gpu
        6⤵
        
        PID:2484
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {414bc0cc-97b0-4ebd-b88e-d0abc1a340e7} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" socket
        6⤵
        
        PID:2696
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3020 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1bf804b-a6a9-4d85-9f0c-432f82771d56} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
        6⤵
        
        PID:1884
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7bac03-e16e-468d-8f6c-8c66e3b141f5} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
        6⤵
        
        PID:1656
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4116 -prefMapHandle 4888 -prefsLen 29195 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71770eb1-faa8-4dcd-9a96-bea7e0a25b7d} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" utility
        6⤵
        Checks processor information in registry
        
        PID:4716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91941471-c444-4bf7-bb77-2029fe0240b7} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
        6⤵
        
        PID:5888
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb2c289-2752-4fba-9653-d5eae61fb3b5} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
        6⤵
        
        PID:5900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c575a6b-5cf9-4aef-9bb3-30b1919fceeb} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
        6⤵
        
        PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5080 -ip 5080
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
35d6960c700d2865c69cefd9df17f14e

SHA1
207551f453a60bb9024fa18c9e895b114d3fa6a8

SHA256
d3ac81b3d88b486f1f162c6adeaca5c40b0092639c91d45008879657a784a49c

SHA512
94fc9e5b4a6e7925f2f72cb736094746b44b0c5531f547f1a6093362a538f4250b145d6b86675efee8903bc7a4a7b9b9813391a1394f59f554fa2ea7da103d63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
892238453a019050c1f326df7a0e3dff

SHA1
4476093351bbb4e292f9d4fc13ac40ce90e3f64d

SHA256
8e8b86521248b6cec11cfab427979175aeaaeb36020653dcc46d0d02db72fd24

SHA512
2e40fa9a0aa65399d4775af6469f045f49efacbe8f51fc7ebe4760cb13f63c1bd1c95a86fbd837d4586899687268e225f4a8d6d1431ee5b43c4273b4346d9b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
b045977f163ae6cd38499d59fe29fa96

SHA1
877a5b6f46b632c3c476042e92772c78e0e08de1

SHA256
4bfbec5f3a6ff1dabd379711b77d9d526901a3ccd8c2168fa9e4a7c3e4d09374

SHA512
92d4e67368218d627d4ce51beb9ec6a9ba6df871de244db35306488c24f1273500984f0735b64502a245a3572a98bb472d1a6c1b35d6460815c81fcc4e6a2bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\71e26e6bac.exe

Filesize
245KB

MD5
8cd9f617f145c5a958d7e2a8b14747a2

SHA1
82b3d3dd82a8793db937ad6a9a7db2dcc207c6d1

SHA256
c945bc9c0ed048cc87a1e4398ab909d2522fa098d5159231d84946f4da4517df

SHA512
4643ae00549ebb0f82833d51b5314a002f79068a30ffc75f2eca908f7c04ae9d6063083ba174be2260255dc5ee2418f74c90035550403cd51b252b3d9a2af1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\7c6ab9ad2a.exe

Filesize
3.1MB

MD5
8eb8080595c09d49388ba0321720f4ca

SHA1
4c7ac7bbc67c3d3663db5d7a3a48288c366d65d9

SHA256
677858310f9f4c8f6bac736ea1e0b87e08d58f270c479257b32089d408d4cb7a

SHA512
b49c54fc38efce7940bd0b66381017f458f7252927ba07efced7ce619377513c4c5956bbe21781acab18dc76805d0b611fe004a6efba65d103a0c1b060f45e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
17KB

MD5
6ec96bc287035fdf7b0e268df5dc58fd

SHA1
f7a3b4a3f851026af945ca565b34db2e0ce8a8c4

SHA256
e4ab29a61ceb3797fefd7ea2d8ada42725ebffa49bc5e94704e7eef9de5028b7

SHA512
8803225f8d95ab4d9d864b1734c8e91a8a20333548b61885a1048a67f127438491dbc055f10f75e1a1a62a2a17d009eba7da87eb633241ffed11fcf402aaa27a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

Filesize
8KB

MD5
276c18f8bb81a487fe832fb70a1c7258

SHA1
598079131bee7f6bf6581db3aa357b2961637324

SHA256
a9024e140103367895d6cf49f42b3fd1a6ee10dcacb6d9c90e0811acd7987c35

SHA512
de5159c7135fb3a29bb2ef1bcbe4c2a49d0ec7c64807816945baf2f3fd9f4297c71e8997616f3e22ebb9de2bb96dba2ecd9748fe946cc4ab4a91abda44b022d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
627921f154a759211039f4eb8aed0cc8

SHA1
8a7afa7532c4c423db98b61b76f3db815c31d4d3

SHA256
492b2b7a54fff5725910f2a2f38033785b402473847cd5592d25bb55574e2c7d

SHA512
691aa01c36c9d678de462ccf2b721793f644c50be3bbe61f4cb95bbe778e8c430aea349e370cef9ad821da65c18712707d20c6eff3d246e23f207f79589ebc95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
283208cd084fb7e68c7efebdab73dd7c

SHA1
323e3eeda5db85a0b544fceff39772fb27c2a27c

SHA256
899754a92010c780e47784f8d083da03e95f7a97d6d13b4461d37946cb73cfd4

SHA512
e18e5f937b15f3d417670581a492e7820a0e5a3c006398b143d425458e673bed5fd732388e72eb25d26297308f8b32ed1fc6a574237c8d0938ff1888101281b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
43c7b6266d5ea961398011eaae5e8c22

SHA1
0407045394c86c0418a14e1bd52079a6d3c54d37

SHA256
0fecebb23e55fb9c9488995eaabc24ce2b74c3b00139d6d2c10f5bfca96b5e4f

SHA512
5bc83bb3d4c1f466907878e8de1d6e2c24d44b3dacc64926c4e909f033cbabbf21317c12ba0a3824dd7a28814be9bb8066a8cb81f34a4c0cf9baaca109b5aea6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\292abdd2-697e-4672-900d-9928990c205b

Filesize
25KB

MD5
7d0d99aef8a3779cfa39056c692527e6

SHA1
0114c805910e7618aeba105114ddde88aede28cc

SHA256
dd980468b2dee969fa88f1d3e3c347a8f51d6f326276936bc52b90aef1740d56

SHA512
a8defd51bc0831db1ed231e69b747bd0c25e63604e434683d68d8f30aafc9671f2691eb06d4b5ef85b81ed2dbf276020467c2bd2f3c99c0b24b9350945a42139

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\71d134ba-e768-4dc3-87fb-79879d3145a2

Filesize
982B

MD5
6cd48a33001510b5611f9371c1f06c97

SHA1
3321a80eb73b0fbeae8080abaa8e226c795eea6e

SHA256
f50245f15ddb9396976b5cf0c614ed0127c78dca594308795af747f35574b404

SHA512
f7e703558dfb76b39b9f4694cece4f91dd1f4302adf7cd7bc29a76cf9c44cc58c9d618bd8aa33b45661e30d8204a61c5385eb816cd3dc524310ddc4de62c2f4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\bb75d8e2-3936-4eb3-88d5-5d8652a43bc6

Filesize
671B

MD5
768aeb06fcf27102cbcccb05f99a45e9

SHA1
a1b7e22908490d35bdaebbd3e9d160605db27280

SHA256
27b65bd67666392cfae255bb19abb8d03ad619438981243eb612786dc8106360

SHA512
311f775c66e7be99ea639f4aba664330cb0b815b7447d88fdd90de78f6ba5889f699e72b86b70876268a9e3b4abe787e8287316e139c91482f0fffd498b7ec91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
12KB

MD5
917aeef7baf1ac25a7224efd5ce8a00d

SHA1
244b2ceb2048cd1cac32e9a3e00c049603526f82

SHA256
df0d3e699a28589c8942819c64796a22c83309b460eba80d990b9225236b08e9

SHA512
9fda69b05a8c71b0f78c55fad16fb735b72fe4905957afbda27995f0e7c5bf8de713e2640d4b56f5a9bd65a864b0c04336a5499843a77a4973674e2b8dba4049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

Filesize
14KB

MD5
a957e536a5c94b6c94e312e15a553cbf

SHA1
7888ff81ba30d2801e983ed4cf8e22aa5fd883f8

SHA256
1646ca756b74095e0879615a98ac82fa2701318cf9c930a137c4a6e64a1de9ce

SHA512
aba75c264039251e78906169bd13b34cd7dc89cfe0b817c34b60611b76f5bb977fb6492c68050b6d0ed9af5d8ac25136ce9e2e71f002f93448a0fbb9838bc5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

Filesize
8KB

MD5
c7aad42d86f8c85251624b52f888a8fe

SHA1
3eb9736275f2552002785660b21b2a8f44f42013

SHA256
a59fb9f7722f47b3d52e3098ccf0f5e34bb9fe1beb53c33e5d795c0401ee0b66

SHA512
8514bce2c9df4847c298ba6c0fd1d0028988639a21750b8363979b018290c32d3b6c46a775314e1d787639f661f4d36b1f32717d19eec65394a491f139c223ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.2MB

MD5
4c31eda4c01edf0a2c49c078d36f790a

SHA1
562bfbe031d1a6983948873d76cf77b90d48ef96

SHA256
f24d1b104f8196615dc74cefc5e76c7d959337694a11f35d1bc0a8e805c4864d

SHA512
ecf733ae3d0a2efcd7ea28d536fc0ee2254c7f84a8adb16b73bfc180dfe189a7d11b2449a02859ab098155ab888374c808049de4177ff2a25c81f0a67410b786

Download Submit
memory/572-0-0x0000000000AD0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/572-16-0x0000000000AD0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/572-4-0x0000000000AD0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/572-3-0x0000000000AD0000-0x0000000000F8E000-memory.dmp

Filesize
4.7MB

Download
memory/572-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

Filesize
184KB

Download
memory/572-1-0x0000000077666000-0x0000000077668000-memory.dmp

Filesize
8KB

Download
memory/2392-416-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-1081-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-409-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-417-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2606-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2603-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2593-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2591-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-391-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2589-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2587-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-55-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2585-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2582-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2575-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2392-2126-0x0000000000FB0000-0x0000000001A8A000-memory.dmp

Filesize
10.9MB

Download
memory/2944-2569-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2588-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-18-0x0000000000531000-0x000000000055F000-memory.dmp

Filesize
184KB

Download
memory/2944-415-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-19-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2576-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-619-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2584-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-20-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2586-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-410-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-1772-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-354-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2590-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-398-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2592-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-405-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2594-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-17-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-406-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2605-0x0000000000530000-0x00000000009EE000-memory.dmp

Filesize
4.7MB

Download
memory/5080-56-0x0000000000400000-0x0000000002456000-memory.dmp

Filesize
32.3MB

Download