amadey | 81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
Size

1.8MB
MD5

67a054f530e13365d7d22de40557c61e
SHA1

e3a035ed41792df542c6ce00a41394b2d60f97ba
SHA256

81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e
SHA512

45438dca791bf0f1fe737bfa4b3657822546ed2a7190f23d5a84d5da67f1cd55d4de5ab684db53cce831c33610205ac1b3a7b1d2361966bcbc2b13093ba74f0c
SSDEEP

24576:ZXQpxLIdfOIZcmNEswSX9YPKgP/9LZ3IikNNbrNw+A6YdtTsqgowvTVaPNK:ZgpxUdWIZJtwOdQFZI1w+sDIqgoYkPQ

Score

10^/10

amadey stealc 0657d1 default kora credential_access discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

http://185.215.113.24

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Executes dropped EXE 6 IoCs

pid	Process
2064	explorti.exe
4240	7290466552.exe
4604	0d2279928a.exe
1812	9f02a3db3e.exe
5304	explorti.exe
5948	explorti.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\7290466552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\7290466552.exe"	explorti.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4240-418-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-440-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-547-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-1533-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2595-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2601-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2609-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2611-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2613-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2615-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2620-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2622-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2629-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe
behavioral2/memory/4240-2631-0x0000000000EC0000-0x00000000019A5000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
2064	explorti.exe
4240	7290466552.exe
4604	0d2279928a.exe
4240	7290466552.exe
4604	0d2279928a.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
5304	explorti.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
5948	explorti.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	4604	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7290466552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d2279928a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f02a3db3e.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
2064	explorti.exe
2064	explorti.exe
5304	explorti.exe
5304	explorti.exe
5948	explorti.exe
5948	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	firefox.exe
Token: SeDebugPrivilege	4356	firefox.exe
Token: SeDebugPrivilege	4356	firefox.exe
Token: SeDebugPrivilege	4356	firefox.exe
Token: SeDebugPrivilege	4356	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4356	firefox.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe
4240	7290466552.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4240	7290466552.exe
4604	0d2279928a.exe
4356	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 2064	4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe	82
PID 4708 wrote to memory of 2064	4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe	82
PID 4708 wrote to memory of 2064	4708	81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe	82
PID 2064 wrote to memory of 4240	2064	explorti.exe	85
PID 2064 wrote to memory of 4240	2064	explorti.exe	85
PID 2064 wrote to memory of 4240	2064	explorti.exe	85
PID 2064 wrote to memory of 4604	2064	explorti.exe	90
PID 2064 wrote to memory of 4604	2064	explorti.exe	90
PID 2064 wrote to memory of 4604	2064	explorti.exe	90
PID 4240 wrote to memory of 3440	4240	7290466552.exe	91
PID 4240 wrote to memory of 3440	4240	7290466552.exe	91
PID 2064 wrote to memory of 1812	2064	explorti.exe	92
PID 2064 wrote to memory of 1812	2064	explorti.exe	92
PID 2064 wrote to memory of 1812	2064	explorti.exe	92
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 3440 wrote to memory of 4356	3440	firefox.exe	95
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96
PID 4356 wrote to memory of 2552	4356	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe
"C:\Users\Admin\AppData\Local\Temp\81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\1000036001\7290466552.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\7290466552.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34ed84b8-a5cf-49bf-8432-3e675a08de91} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" gpu
        6⤵
        
        PID:2552
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2308 -prefMapHandle 2280 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dbdc263-e4e8-4059-9e11-309a925c035b} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" socket
        6⤵
        
        PID:2596
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2816 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bc467d-6cfc-4e14-b6f1-04993eef2da3} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:2684
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ed5e36a-e502-4102-b434-30c3acb38b4e} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:3364
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4484 -prefMapHandle 4496 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daafdfe7-65aa-4c7b-bbbe-0fd0511b8525} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" utility
        6⤵
        Checks processor information in registry
        
        PID:1032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 3 -isForBrowser -prefsHandle 5572 -prefMapHandle 5464 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678f3ba0-8782-4c51-8d4b-91ca70d88c65} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:5912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 4 -isForBrowser -prefsHandle 3004 -prefMapHandle 4568 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {780eafd6-6025-46cf-bc6a-77591e09d425} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:816
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5860 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba57a872-c188-4752-be3c-96a6b23f61c4} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:1924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 5960 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18ff95c-cb4b-4e96-aa28-46aeafc5364e} 4356 "\\.\pipe\gecko-crash-server-pipe.4356" tab
        6⤵
        
        PID:4596
- - C:\Users\Admin\1000037002\0d2279928a.exe
    "C:\Users\Admin\1000037002\0d2279928a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1200
      4⤵
      Program crash
      PID:2808
- - C:\Users\Admin\AppData\Local\Temp\1000038001\9f02a3db3e.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\9f02a3db3e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4604 -ip 4604
1⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5304

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000037002\0d2279928a.exe

Filesize
2.4MB

MD5
0ba6b7ef538b30997ed3f2dc6b69c534

SHA1
b210bee5380a6edfdda30cd203ea84835c6479ba

SHA256
f0ae1731e5ab53d57601e839a64b105b821d77de6e3645d5d2156c3172ac0f17

SHA512
45d41c2e674269ef68cbff393aa731a57337ffe52d19476e5e259167b1b751885184a93f5ff56d35b3558020d0ad9d58ca0a53a514eb828aea5a8104a7c3d98d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
abbc7c8b753f2c2d1360f0dcf60e2d7b

SHA1
3c264d8aad920519d530662920c35ac1c45dcee6

SHA256
c31cc6d20b2e0feea779e949ff9b687ad8afdc1f5e68eceaaec8a8be1d07bb41

SHA512
671f231392700491615145da4201eaa33d78bcc483315daef2b457b9fe68f54eb4674e42209cd06372c5e3623bbf62ee8406ad69f2317a5280b3fde8c50edf84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
de4662ae9f1c2a4e3d6d9399c072c2c6

SHA1
a16f2af436badf37d66a08a91d581f7e8bd18c1c

SHA256
6cfebb05382ec6e7bac7febc5887aade57d896b5ffd1f9c50683328b04546d2d

SHA512
ec192ff57a914fec534b2322d6a318f5fb8d0b751ab4fb859da882e3809ecfc92d61ec5681f3139a1394ae7acd07539afd6bbb953cbd6eb42e10435cf8c5da42

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
67a054f530e13365d7d22de40557c61e

SHA1
e3a035ed41792df542c6ce00a41394b2d60f97ba

SHA256
81a2b8f827201dd63e85ee0826d36413ca5708b13e912fe91b6bcb30539a510e

SHA512
45438dca791bf0f1fe737bfa4b3657822546ed2a7190f23d5a84d5da67f1cd55d4de5ab684db53cce831c33610205ac1b3a7b1d2361966bcbc2b13093ba74f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\7290466552.exe

Filesize
3.1MB

MD5
25bcb7ebee3f1cadce066f73f8bf68e6

SHA1
0f645fe8aacf8ed50efa28d10fcb1e6f7f9eabd1

SHA256
9a0d9cd287dd60d8f4aafdcd7020e0ad897fe721a428049c435c24dbcb29bbfc

SHA512
235259094a566e4810aaccbab04c73222c18fa0dc25f6ab72802d69c9cf76b06f142d30eca90e31bee6b1ea778a234fe4782e74542fc2e226eaad9476f86cdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\9f02a3db3e.exe

Filesize
187KB

MD5
278ee1426274818874556aa18fd02e3a

SHA1
185a2761330024dec52134df2c8388c461451acb

SHA256
37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

SHA512
07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
10KB

MD5
a5a4d7ee67840964c712350e793bb448

SHA1
b7e13791686c9149f472513c6f25cf7a96f3add5

SHA256
9f7a77ba88c182334629c48a0e894337ed40e076e6e6d81487ffd7b5b1dc6569

SHA512
98c417a25734e2cf41202f1924d2495670a6768d1186f47809b646bf6794ba699d9821f6d39f26219cc6d16118e51c8da197ad0543ff16f68aa8cb9e954d4976

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
6f5770d58a81211f9de0c177285e793a

SHA1
929a584529c3ea84db306d08830d24bc805d51a9

SHA256
00d26f231c54db8d3146688fc0608c1d23d169fe5281636e671aa3e4c7e909ef

SHA512
21ead3ed372bf4ff78cdb66b4d9d77fca7e41b7514e162ea6437de0f40733f94c9d9fcec7eb108c243f334f41eda79570899c78cb1a7db5d4767fd941cd58f05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a171a673f4ba5cd4a68805443146b398

SHA1
f8ea9fdb8aeaba79e5f31cc215f9d9fb39f79563

SHA256
c09bcf6b6f7b9606484d598d5f2a20e49f362c7130411a308ae538cc3c7a9b78

SHA512
7250ae891647ed3d54acd849415e8e09b7beb78b856ce842378a5f64a11f60bc0e7e016034bf425703c2b9e124baaaa40d1b5b49acbd595cb1170d5fd129ccdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\7f7b05ed-bf6f-4412-ad75-7b6755a6e933

Filesize
27KB

MD5
2a4df7c0fbc5bd34b87eed9426ee0ef4

SHA1
277f338637177254d48cfb143362c3fd7c4318f7

SHA256
758bb3006d49ebaa71c1a8e35df5e915748138c956853fd4a3b107b5d6d4781c

SHA512
d3e9bc5f54100322c753cab25f8d50b15aa4b855f76c6200379fb02dfcad646455248960aadd40553f8de4a5607609ecf01a28ce1c81ead31beb6fb9396c0a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\89ccafc1-3e19-44eb-8e56-a70f0e5579ed

Filesize
671B

MD5
a6abc24fae7c34552ce9567e7c4fa270

SHA1
690e1487521e7e90a4f8c6cd35890dd4b5de326c

SHA256
13e186d2ddb15dee4dc512346362f3aafa7093090efacc82c7347d32fc6c8c93

SHA512
7b7f19bbb3aac87abe56c694cbc10b7913cb1a52025a7d4e0d56f7bcb35b0f62875240f68299b0f6b27ad70635541df5cb19bca087b5ae27f5dee5551b9ed32f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\96356e99-13ea-40cd-a60b-35c1a1826731

Filesize
982B

MD5
41ce94903f69f731e1b7b8a6d511f2ad

SHA1
0a8f6155ab4150933ba2d79c478ca2816694dbd1

SHA256
6e8649e290bdb2e01fb509209a788aa7ee7c71fa75c3b2c087add9a86dc005a4

SHA512
05ef110ac50a6a58b2d2d1aee1ea77c07aab7ab52de91d40de08440f73693d5802ddd87c225e37eb90418b90ed89620354b881369adc5647b341bf256a15e4dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
12KB

MD5
55e398f1533f88305ee269b06bda3d70

SHA1
a60e60009c1375fdc994d2b5aafe0f29743ef175

SHA256
43992735b4a164995145240b5925e70b0a65e2d91ba18d0dfffa4057e771d428

SHA512
53d1cef7c66633cc66563354088177a950bf37d712427f6185cdd4e45a3a7351bf590bd1df00f29a7b064d1f0e6f127ff0e1ef949ce8fbaee326a99bf778d06c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
16KB

MD5
fb27af132b0ed253646fd85c70e19137

SHA1
70d8b72697c5fbca03e242593dc990d4895dea5e

SHA256
08989a0baab521345e1ff6a95230c8aa3359c22fe8f20b8f50fa95e5c12656c2

SHA512
3d9695ed12a3dc142055b03c68243e73cea4852d566428d554ee332ea78dc19ee0aaa49aa58e3fd4c208f15b2e1ba01aa74c31728d5f8f48c806b945604a9cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
9c171be9dc63f419705fa9905ce36280

SHA1
388ff5075eb198dbb8f28e6762027bd41d47ccc2

SHA256
c0a2d86fc7b8cd021c623fe3b645fe7a87348875c39efa1d5aba83483cf523b8

SHA512
f13380074419265af21d9bde2a575a4f0aaf2c8116a0f02defa53808c56818852aae1dd4ae58643906eb3f06290e1c6c0be4e62ab420188c3855361aef8e243e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
cc8aa50d73fabc2e313ebb3c4b2a81b9

SHA1
06b638108255dd5dd4520f32b9614fdae80666a8

SHA256
60f99faca2584ce5a6ddbc9da9a6697bcbd9e59bc516ecd278b3f90237dccf39

SHA512
f2f046a8ed8fe2b7336aaec7862576fe9bbcd9e991d36fe41251676b7cdaca5e90c449b64acc623826a5649b669babfe55fec532a4814dfa371618e5dbd2cfd5

Download Submit
memory/1812-72-0x0000000000B10000-0x0000000000D53000-memory.dmp

Filesize
2.3MB

Download
memory/1812-74-0x0000000000B10000-0x0000000000D53000-memory.dmp

Filesize
2.3MB

Download
memory/2064-437-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-1225-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-419-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2630-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-427-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-436-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-383-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2623-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-445-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-18-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2621-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2617-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2614-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2612-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2610-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2607-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-19-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2600-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-20-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-21-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/2064-2191-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/4240-1533-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-547-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2615-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-40-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2631-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-418-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2595-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2629-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2601-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2620-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2609-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-440-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2611-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2622-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4240-2613-0x0000000000EC0000-0x00000000019A5000-memory.dmp

Filesize
10.9MB

Download
memory/4604-56-0x0000000000400000-0x0000000000FED000-memory.dmp

Filesize
11.9MB

Download
memory/4604-403-0x0000000000400000-0x0000000000FED000-memory.dmp

Filesize
11.9MB

Download
memory/4708-17-0x0000000000CC0000-0x0000000001177000-memory.dmp

Filesize
4.7MB

Download
memory/4708-0-0x0000000000CC0000-0x0000000001177000-memory.dmp

Filesize
4.7MB

Download
memory/4708-4-0x0000000000CC0000-0x0000000001177000-memory.dmp

Filesize
4.7MB

Download
memory/4708-3-0x0000000000CC0000-0x0000000001177000-memory.dmp

Filesize
4.7MB

Download
memory/4708-2-0x0000000000CC1000-0x0000000000CEF000-memory.dmp

Filesize
184KB

Download
memory/4708-1-0x0000000077176000-0x0000000077178000-memory.dmp

Filesize
8KB

Download
memory/5304-2249-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/5304-2192-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/5948-2618-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download
memory/5948-2619-0x0000000000C80000-0x0000000001137000-memory.dmp

Filesize
4.7MB

Download