amadey | 4358fd7c8502eb3007a60e97f42315dda81c8dda507e3e0913608bf643d6c9bd

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98253e05db4faa3ad05aa1843e880710N.exe
Size

1.8MB
MD5

98253e05db4faa3ad05aa1843e880710
SHA1

04a419c2d23b65775328cc8e897e5357ec1e5938
SHA256

4358fd7c8502eb3007a60e97f42315dda81c8dda507e3e0913608bf643d6c9bd
SHA512

9f8ece8a4fb78968fe066c98587ea5dc8632b3da901e3e01acd373930690dd456965889f6c62a060a31fb474938f33bf2ac435867f7e0ac67e0a8a01e66ff966
SSDEEP

49152:kq13YiUJ+me6wlLB4cXZe2EmesjII2IdS8/YyjFy:kO3YPgDvl46guHjIpUD

Score

10^/10

amadey buer stealc 0657d1 default credential_access discovery evasion loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

http://185.215.113.24

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Buer
Buer is a new modular loader first seen in August 2019.
loader buer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98253e05db4faa3ad05aa1843e880710N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98253e05db4faa3ad05aa1843e880710N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98253e05db4faa3ad05aa1843e880710N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Executes dropped EXE 4 IoCs

pid	Process
2740	explorti.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
276	5110f359c8.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	98253e05db4faa3ad05aa1843e880710N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine	explorti.exe

Loads dropped DLL 8 IoCs

pid	Process
3004	98253e05db4faa3ad05aa1843e880710N.exe
2740	explorti.exe
2740	explorti.exe
2740	explorti.exe
2740	explorti.exe
2740	explorti.exe
1296	8370bd86bf.exe
1296	8370bd86bf.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\46736b552c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\46736b552c.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2808-232-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-236-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-246-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-292-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-349-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-354-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-384-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-400-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-428-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-437-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-442-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe
behavioral1/memory/2808-445-0x0000000000FE0000-0x0000000001ADA000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
3004	98253e05db4faa3ad05aa1843e880710N.exe
2740	explorti.exe
2808	46736b552c.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
1296	8370bd86bf.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	98253e05db4faa3ad05aa1843e880710N.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98253e05db4faa3ad05aa1843e880710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46736b552c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8370bd86bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5110f359c8.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8370bd86bf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8370bd86bf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	98253e05db4faa3ad05aa1843e880710N.exe
2740	explorti.exe
1296	8370bd86bf.exe
1296	8370bd86bf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	firefox.exe
Token: SeDebugPrivilege	1628	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3004	98253e05db4faa3ad05aa1843e880710N.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
1628	firefox.exe
1628	firefox.exe
1628	firefox.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe
2808	46736b552c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	46736b552c.exe
1296	8370bd86bf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2740	3004	98253e05db4faa3ad05aa1843e880710N.exe	30
PID 3004 wrote to memory of 2740	3004	98253e05db4faa3ad05aa1843e880710N.exe	30
PID 3004 wrote to memory of 2740	3004	98253e05db4faa3ad05aa1843e880710N.exe	30
PID 3004 wrote to memory of 2740	3004	98253e05db4faa3ad05aa1843e880710N.exe	30
PID 2740 wrote to memory of 2808	2740	explorti.exe	31
PID 2740 wrote to memory of 2808	2740	explorti.exe	31
PID 2740 wrote to memory of 2808	2740	explorti.exe	31
PID 2740 wrote to memory of 2808	2740	explorti.exe	31
PID 2740 wrote to memory of 1296	2740	explorti.exe	33
PID 2740 wrote to memory of 1296	2740	explorti.exe	33
PID 2740 wrote to memory of 1296	2740	explorti.exe	33
PID 2740 wrote to memory of 1296	2740	explorti.exe	33
PID 2808 wrote to memory of 1072	2808	46736b552c.exe	34
PID 2808 wrote to memory of 1072	2808	46736b552c.exe	34
PID 2808 wrote to memory of 1072	2808	46736b552c.exe	34
PID 2808 wrote to memory of 1072	2808	46736b552c.exe	34
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1072 wrote to memory of 1628	1072	firefox.exe	35
PID 1628 wrote to memory of 1976	1628	firefox.exe	36
PID 1628 wrote to memory of 1976	1628	firefox.exe	36
PID 1628 wrote to memory of 1976	1628	firefox.exe	36
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37
PID 1628 wrote to memory of 2300	1628	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\98253e05db4faa3ad05aa1843e880710N.exe
"C:\Users\Admin\AppData\Local\Temp\98253e05db4faa3ad05aa1843e880710N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\1000036001\46736b552c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\46736b552c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.0.1168641509\641061087" -parentBuildID 20221007134813 -prefsHandle 1160 -prefMapHandle 1084 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c4aaf4e-44dd-48c7-a161-713adf96f240} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1236 13a06e58 gpu
        6⤵
        
        PID:1976
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.1.1964777574\1893754792" -parentBuildID 20221007134813 -prefsHandle 1556 -prefMapHandle 1552 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0424e6f5-1f69-48dd-b7da-1fa6d230ee6b} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1568 e73658 socket
        6⤵
        
        PID:2300
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.2.1074409840\88855346" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38039ae8-708d-4369-9959-9eaeca79e491} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 2000 18492e58 tab
        6⤵
        
        PID:744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.3.986912467\897067896" -childID 2 -isForBrowser -prefsHandle 640 -prefMapHandle 632 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c4e476-caa6-4a2f-a8a1-75d3daee4d3f} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 1820 1cc0b858 tab
        6⤵
        
        PID:1352
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.4.1994432080\1284560825" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eddf545-9601-4ede-abf3-ca5873c0cfb7} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3728 1f3d0b58 tab
        6⤵
        
        PID:3004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.5.1526965380\1133061635" -childID 4 -isForBrowser -prefsHandle 3856 -prefMapHandle 3832 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e212a07c-e5b3-4c53-a5e9-845ac187a15a} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3908 1f852958 tab
        6⤵
        
        PID:2084
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.6.829400323\313180790" -childID 5 -isForBrowser -prefsHandle 3960 -prefMapHandle 3964 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {935fe8f4-ce94-410b-bd92-c748612b87bd} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 3948 1f852c58 tab
        6⤵
        
        PID:1616
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1628.7.718751907\400502482" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4368 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9916d3a-7c67-4f2f-9993-d0023f3b8d27} 1628 "\\.\pipe\gecko-crash-server-pipe.1628" 4380 1b65b958 tab
        6⤵
        
        PID:3140
- - C:\Users\Admin\1000037002\8370bd86bf.exe
    "C:\Users\Admin\1000037002\8370bd86bf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Users\Admin\AppData\Local\Temp\1000038001\5110f359c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\5110f359c8.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000037002\8370bd86bf.exe

Filesize
2.5MB

MD5
0a59357ee50c8272be24168abcd09fca

SHA1
2f35f3dedf5b11e595e2cb9cbc036859313c1a3b

SHA256
82ebec3391c43c860cf1950e342cee1b4a55f2540ba7cc2ca768bf570f1bf1c1

SHA512
fd3549eaa2b07b241f7bbe205802bec12d5b4c71187122092d56b5026cd24b4fc5702dedbb6edf4c6fe43841001f41c785b394027eba034483e503b7888fb17e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
6882fcd8c3cb50749a5cf71c3f57fd1b

SHA1
d838628dbb575714ce1fc7888da077c12a086349

SHA256
6f15c1c0280e51212541cfa898ef054b0699e6b94c34048c863be90ac498f399

SHA512
dc7eee40b9c517a9575160e59fb32191c0f33047af610650023325f1613c7ed31add7af3b519198c033a3b9f8c3d81f2ce10cd6c53429f2118a82de9f456f9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
98253e05db4faa3ad05aa1843e880710

SHA1
04a419c2d23b65775328cc8e897e5357ec1e5938

SHA256
4358fd7c8502eb3007a60e97f42315dda81c8dda507e3e0913608bf643d6c9bd

SHA512
9f8ece8a4fb78968fe066c98587ea5dc8632b3da901e3e01acd373930690dd456965889f6c62a060a31fb474938f33bf2ac435867f7e0ac67e0a8a01e66ff966

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\46736b552c.exe

Filesize
3.1MB

MD5
52b6dfc2bd72747d3504a704b0170b53

SHA1
15cde6ef0fc483b514860958901bb5d6bcf7fa2e

SHA256
ac30d1d7e808e943b739e88ea26512da2dc7322330ca52732c408bd07e327313

SHA512
8bae636e5777d13c547744c3bffd1221a9dd3d6d5a063adb33607190eaebca284be47f6af69576c1328846b22801fc8a8e3c8feb93a999bf55b963ec7d831aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\5110f359c8.exe

Filesize
187KB

MD5
59eefb04a8cb9a94d148464cd4324e93

SHA1
e1e550383c9de11d18bb6cb5b8d83f62f51340bb

SHA256
d9798bda5b0cd389f0b0f184ded085cded77a8652d96be4054789452b2a04ca5

SHA512
7e5ee340188a83055311e9dde5c6bad8798899447281c56b0e2741d247c540c3b936fc51ad795ef10ffc8a7a15f616aa46c747b33793e7ddceecdff310614e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cookies.sqlite-wal

Filesize
480KB

MD5
db2cc5076ce3196893f6369ddb54865c

SHA1
99a4adc8d2163d59c0a6706cd68f3db54fa40acf

SHA256
aa8a72e7acc6bf5b2c89481521a17d4b8afbeb8e504b2f7622f1557998aafe93

SHA512
e7a819fca8d4df5281f32baeeeacd554fa82abdf9f08fcd8d5c814b9c4901a1c661fcefdd640d581f47313c65bc42dc4161beb296af93bbc44b960b1c9dac426

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
121f2987f2738c95d71c43bbe52b06da

SHA1
88494ff181cc791abeefe0676ab9b577ea52101f

SHA256
58d11d0b47be8af65469fdbbe5fbf1648e71136c9b921f01c3f6acc74cfb972b

SHA512
db06d3d77efb620290a782d561f5ff3d580c69001263c9a3c4e035437129e938c80b55f89d45dc7bb32997e97ea96a00b4aa011beb586f9aba1a32ab36bec24f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\704e4f4b-4b3f-42e6-a0bd-4ca514add1ce

Filesize
745B

MD5
55605e575eb957fbd73b47108806e500

SHA1
0c7a98943784d878356f834d2bae188f132c081a

SHA256
a824d94ee551e0de70438a1008c6f9a411e65779c3c6f49ccebdbd21bdd206ff

SHA512
9311c28d2937920193171164833355366a9a19ec96fd13e331a374ae942d5589cd92d5b2bb40edd1b2f983cda2cf47e13ebdb8fcecd80f69ea325f25bace6005

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\9c3bbe89-0dfe-463e-a3ba-5e330c1a1bd0

Filesize
13KB

MD5
3285ea9c9293d434d46344e9192c79c0

SHA1
7108eeb1bb45daa89590c744439f410a1f323afb

SHA256
6ed8b00d9b2ab0e8de178828b0940576e9c9b895dc2d154e9c1f9578e4b281c5

SHA512
fd837df8cab4770a2603b405052e4034fb2f33b0505f28007052a5e4c00e45f638d0614c34977e5e837dbd412659144f811a47bf157aa2bea0e710b53e109685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\formhistory.sqlite

Filesize
256KB

MD5
856b71c6e2963c3a2916e696a5859e84

SHA1
126d20bc491959c6cbe751b3b3c2934f2cead2c0

SHA256
db98353069ae3abc53c4464981f1b8aca4aecd113dee1f9b680a437659c0c9ed

SHA512
642ed009e42e43ea8807cc022075880541703937f0b5a8ecab7b30eb3418aab95aa7e02824f4d0d099c7f396965e27f7198ea186f25dad6c97ee3f4e7a7897e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\places.sqlite-wal

Filesize
1.4MB

MD5
cacbf82b0d892c9129e7a4dc998a51fe

SHA1
921fe86cc82ac7b4612e428f26b3f36e799052fe

SHA256
46335f3d76d7c5ac2842ee209914bf3e10aaafdf47395f76720581fa82677e7d

SHA512
33729a575913dd53e64526536daf31e988eeb78cb49eb584bc2db284c72c0ba57536be1022aaeb22d1a5c7344954da8fcbefe0cb3f6ae721c7f8597acd380828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

Filesize
6KB

MD5
e61c04ee17c41c42e0a17e0e4784b39d

SHA1
104e8235bb164bfc38670fc6f9c1f5b837d0c81c

SHA256
c5e52f39a51ed6b6dbd8b9ca1a36b7659073ce2ad1538a19e34b3bb4807abb4c

SHA512
598bff71a976d9b0781da5c82fb00d13ba6e268f89a9d6b0fba6e7893724ec26bd500addf3e2703c365e7c3755493aea6aa5c97c435bd1bb7532fa23b5bcf71f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

Filesize
7KB

MD5
898ef1fe2c7fbef8c5d5f203e9fc0300

SHA1
d3d920ab7cc4f562ac6a4aafbd97ae1d10585049

SHA256
6192992c079c867e30317433d7c71cf63e6506121e97db73eda28aee45d8bfdd

SHA512
6477141864c494a6c3b613462c36e6f2ec03008ffb02ec06018b56753121eacdaeefcde8acb17c4cc732251566e219a20f5eadb61c3d77e2f73b3935f6a4feca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

Filesize
6KB

MD5
3e6255a13b518f1a958836cc066e7091

SHA1
9b7e88e0eed700670b7118e7ab8659ede1fe6149

SHA256
2ba504496867df58a7c14b7d68bf64a85d3e30bf22b975e1f959404419215637

SHA512
d7c4599a21ad371b7bfe3a23138d2b407f7f216bcdafd3fe5c5a6960d24a5395eb871ccc523d692c1129bf3ee4c23aef06648360e2bf1215384f064c184e8736

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

Filesize
6KB

MD5
541f85440d62fea34dc9aabbbc491ce3

SHA1
46d84ef95a697b1b2951e9bbb3b6a6acfe1abae7

SHA256
0e85cfa9f82919f0f9f5bdfda9364866a52c1a272c1abf68b12dee488a5793c7

SHA512
79628904456ba66013f8eeaa8f85dab3c8355459da228d9af7a24bce02f719b4ba5d41cc2c4fee7e5e41872788a7032289e6aefeb9c63878c7edd4cbbe4485ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs.js

Filesize
7KB

MD5
04ef683872f790ba573d12e31a1de544

SHA1
c8ff1d5b47c00d5b278d9559f855cbd7e399ad4e

SHA256
20dc078f9e34e387b960d6caf082504b98fd0d0f1f0469a4830d774cf4484e6b

SHA512
49ac0c9c534129c069b93efdc4dd88b5e2d60602c92a895c3cfbe3bcdba23334bd99693abad7d3cafceaf30dabc28e1a2fd9326c87af7afddff695fe9d6a8703

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
13a965643577651062ba1ef1491150a7

SHA1
386ced66f4a346012497c6339c9790cf5f10a548

SHA256
905d3fe8b64cc413fd73eb8b21abbeae35ff39e664e14c4355bee1c1a59888ba

SHA512
d16ee2e14e5d1d175613cccfae1220722f81bba15dce35e4f0ad03edf9ac0ef4147b9d21926cdfc845359eb4fdb3fb39fb6e353cbfccaa85cc9616ea2920b0fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f2e9b1cceaebba610c915fa78ba84d58

SHA1
0c0aa92ef068b40e877a99e96b6c461c678eda78

SHA256
3c136fc37d28e2762c6cedd8e30a94e014599233dad7e70a2eb948a71c993345

SHA512
ec83e06c4f5ce011eecb77bd5269298230130a4a870f4151bb2a3a7a10ee3c1fb366417d13845770b85aebe0a214b7b708d00a0bffec229f0210d62feb57327e

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/276-88-0x0000000000080000-0x00000000002C3000-memory.dmp

Filesize
2.3MB

Download
memory/276-441-0x0000000000080000-0x00000000002C3000-memory.dmp

Filesize
2.3MB

Download
memory/276-444-0x0000000000080000-0x00000000002C3000-memory.dmp

Filesize
2.3MB

Download
memory/1296-385-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-435-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-404-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-234-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-293-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-244-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-378-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-355-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1296-351-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-252-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/1296-57-0x0000000000400000-0x0000000000FFE000-memory.dmp

Filesize
12.0MB

Download
memory/2740-17-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-18-0x0000000000331000-0x000000000035F000-memory.dmp

Filesize
184KB

Download
memory/2740-81-0x0000000006600000-0x0000000006843000-memory.dmp

Filesize
2.3MB

Download
memory/2740-55-0x0000000006B70000-0x000000000776E000-memory.dmp

Filesize
12.0MB

Download
memory/2740-218-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-443-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-56-0x0000000006B70000-0x000000000776E000-memory.dmp

Filesize
12.0MB

Download
memory/2740-253-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-313-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-233-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-34-0x0000000006B70000-0x000000000766A000-memory.dmp

Filesize
11.0MB

Download
memory/2740-21-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-19-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-235-0x0000000006B70000-0x000000000766A000-memory.dmp

Filesize
11.0MB

Download
memory/2740-217-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-438-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-186-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-352-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-439-0x0000000006600000-0x0000000006843000-memory.dmp

Filesize
2.3MB

Download
memory/2740-440-0x0000000006600000-0x0000000006843000-memory.dmp

Filesize
2.3MB

Download
memory/2740-245-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-379-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-436-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-80-0x0000000006600000-0x0000000006843000-memory.dmp

Filesize
2.3MB

Download
memory/2740-396-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2740-405-0x0000000000330000-0x00000000007E7000-memory.dmp

Filesize
4.7MB

Download
memory/2808-236-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-354-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-445-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-292-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-442-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-37-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-349-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-428-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-400-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-232-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-384-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-437-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/2808-246-0x0000000000FE0000-0x0000000001ADA000-memory.dmp

Filesize
11.0MB

Download
memory/3004-1-0x0000000077B70000-0x0000000077B72000-memory.dmp

Filesize
8KB

Download
memory/3004-2-0x0000000000A01000-0x0000000000A2F000-memory.dmp

Filesize
184KB

Download
memory/3004-3-0x0000000000A00000-0x0000000000EB7000-memory.dmp

Filesize
4.7MB

Download
memory/3004-5-0x0000000000A00000-0x0000000000EB7000-memory.dmp

Filesize
4.7MB

Download
memory/3004-0-0x0000000000A00000-0x0000000000EB7000-memory.dmp

Filesize
4.7MB

Download
memory/3004-10-0x0000000000A00000-0x0000000000EB7000-memory.dmp

Filesize
4.7MB

Download
memory/3004-15-0x0000000000A00000-0x0000000000EB7000-memory.dmp

Filesize
4.7MB

Download