amadey | be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
Size

1.9MB
MD5

4677c508190bb4d41c07adf244226dc8
SHA1

13f0fef0d61f1c7ecd5681ce95d8c7a30d894b8e
SHA256

be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd
SHA512

3006a047e583b589d60b61fefc961856d820f5936d214bb9f33f18e989804ddf7b7da07e0d9940ef07f3d7c527bf01f308d07c2c7fddd975165ddf72ba863803
SSDEEP

24576:NE2foL7YIOQGJpuaMCfQiFhQWxit32CvpDM6QMYm02QfN5rOFA4eAItjKOT77uuM:NFoP+Q6w4fzATvtMLmxQfP5d17ugcv

Score

10^/10

amadey stealc 0657d1 default kora credential_access discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

http://185.215.113.24

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Executes dropped EXE 6 IoCs

pid	Process
860	explorti.exe
4912	3d1dead6a5.exe
2084	229c464510.exe
3920	b39ad74649.exe
2756	explorti.exe
3300	explorti.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine	explorti.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d1dead6a5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\3d1dead6a5.exe"	explorti.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4912-428-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-443-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-585-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-1525-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2498-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2543-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2551-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2553-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2555-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2557-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2560-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2564-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2574-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe
behavioral2/memory/4912-2577-0x0000000000F10000-0x0000000001A0C000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
860	explorti.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
2084	229c464510.exe
2084	229c464510.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
2756	explorti.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
3300	explorti.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3932	2084	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d1dead6a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	229c464510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b39ad74649.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
860	explorti.exe
860	explorti.exe
2756	explorti.exe
2756	explorti.exe
3300	explorti.exe
3300	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	4808	firefox.exe
Token: SeDebugPrivilege	4808	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4808	firefox.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe
4912	3d1dead6a5.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4912	3d1dead6a5.exe
2084	229c464510.exe
4808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 860	5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe	78
PID 5116 wrote to memory of 860	5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe	78
PID 5116 wrote to memory of 860	5116	be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe	78
PID 860 wrote to memory of 4912	860	explorti.exe	79
PID 860 wrote to memory of 4912	860	explorti.exe	79
PID 860 wrote to memory of 4912	860	explorti.exe	79
PID 860 wrote to memory of 2084	860	explorti.exe	80
PID 860 wrote to memory of 2084	860	explorti.exe	80
PID 860 wrote to memory of 2084	860	explorti.exe	80
PID 860 wrote to memory of 3920	860	explorti.exe	81
PID 860 wrote to memory of 3920	860	explorti.exe	81
PID 860 wrote to memory of 3920	860	explorti.exe	81
PID 4912 wrote to memory of 3984	4912	3d1dead6a5.exe	82
PID 4912 wrote to memory of 3984	4912	3d1dead6a5.exe	82
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 3984 wrote to memory of 4808	3984	firefox.exe	85
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86
PID 4808 wrote to memory of 3536	4808	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
"C:\Users\Admin\AppData\Local\Temp\be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\1000036001\3d1dead6a5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\3d1dead6a5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a393d08-115b-4d16-90e3-8623b934fe0e} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" gpu
        6⤵
        
        PID:3536
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd95a143-006d-4dc6-9031-9fb8816aae87} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" socket
        6⤵
        
        PID:4592
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 1436 -prefMapHandle 2948 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7089992-093d-4fc7-906f-b935dec438cd} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:2336
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c001eb50-559e-458a-a8db-f60ba414a38c} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:3176
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4732 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d65f010-351d-4214-9c63-14f984bbc594} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" utility
        6⤵
        Checks processor information in registry
        
        PID:2408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 4520 -prefMapHandle 5408 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d28ea36-31ff-4b38-9686-d8b10b51e243} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:4760
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42d21cd6-33dd-4c13-892c-4d1dbac18ff1} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:4620
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fe0f39a-7422-4d09-9d57-5dcaed9e3e26} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:2792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6208 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 6192 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1352 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a99b59-9fb5-4043-ad79-3068996ede17} 4808 "\\.\pipe\gecko-crash-server-pipe.4808" tab
        6⤵
        
        PID:852
- - C:\Users\Admin\1000037002\229c464510.exe
    "C:\Users\Admin\1000037002\229c464510.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1468
      4⤵
      Program crash
      PID:3932
- - C:\Users\Admin\AppData\Local\Temp\1000038001\b39ad74649.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\b39ad74649.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2084 -ip 2084
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000037002\229c464510.exe

Filesize
2.4MB

MD5
37a0929b19918e97a78e12deca6d41bb

SHA1
eccdca67543dcfa735126b76fcd0d8573c788b93

SHA256
eebdf6b9a3379b2c150cefbce99478ac46794bc57b4d4e417cc08555b1e208c0

SHA512
b1538e41655f0eaf31175cf6e3f13e29cbdc53e890062dbcd1fa76b4086153364c7a1246bb8e19f34e5f75be3fc8f2e8d4d302ea18c4d926c1a7667b78dea353

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
acf014f3009c8418f655f25e2e277561

SHA1
f95eb90498ceeac2b4c87b8945a009ef63ef934b

SHA256
9377078f501e9cff5bd45ce9b7c3e62c82ef8fdc3b2aa156cb36e020807fbcf0

SHA512
68d1ebfeade39e2247286c343cc1989046349b20f66b6ac43830d174c61f644cd838ad3cb123dac248ee556be8d9a7f6abb3fdf8e7123f5df679013a6260c772

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
c8cc0b2d9e4dc9be45e546e5bb37427e

SHA1
e25fbac767ea59f66850a9a3219247eaf3b82c5c

SHA256
6394d35356e469b1ad0100cf0cfe37bc8a72642d73f0fcc05e987cbe1481c6a7

SHA512
60b8f0e9b3dda484e1a5c19be28ff9f0a0ee8afe940bd102ebfb0c1ce0ce8479e6a7521d979120b2096648c456e8e0f5e7cb406b985015e7a5873acd66e4d34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.9MB

MD5
4677c508190bb4d41c07adf244226dc8

SHA1
13f0fef0d61f1c7ecd5681ce95d8c7a30d894b8e

SHA256
be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd

SHA512
3006a047e583b589d60b61fefc961856d820f5936d214bb9f33f18e989804ddf7b7da07e0d9940ef07f3d7c527bf01f308d07c2c7fddd975165ddf72ba863803

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\3d1dead6a5.exe

Filesize
3.1MB

MD5
19417b03222b012127038fb25e2eb2d3

SHA1
79bd763cb76d85c5eba125c41c9185b70e996a99

SHA256
ac3c551f36ea2c77d8685944cab9522b9b379935de874f84388abf8be0c45f9d

SHA512
2e063757be6571d4c9943509ffaf3972ed0490130c483e54cff51905a35352afd91499798a7273ab039e6f80a93e3cc3137bf756ca7df1a9b411337bc918dc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\b39ad74649.exe

Filesize
187KB

MD5
278ee1426274818874556aa18fd02e3a

SHA1
185a2761330024dec52134df2c8388c461451acb

SHA256
37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

SHA512
07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

Filesize
10KB

MD5
9420e9a3382ce4a8b1397e4b9d23f10b

SHA1
ffff067ca130343abaf03404a332f1e7c768a71f

SHA256
04dc9f4e1a07e1c66d289f4cea2fee93d80cca46f0b5402ab2edc2e7b5941fd7

SHA512
5e1076f9d7647515b90308207087688277e552d83537071695ed974f227aea693bb41e7e89a6ffc984262f6897b8a26b47b39cc6403cab5c744a6b1c0bf3b1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
34dd1b31465a34bdce27f593a32e527a

SHA1
40a2e9fbc2193d0d7e03045a9607a6d953a03175

SHA256
be4b7eefcf92e378aaab997844bd724cea20b942014e119498f66f39147e4e10

SHA512
9153ab268d1c7a87a91fd654e82aead6d860261187317a2eeec210ce94d29a17ba80d89b1c7e22b91bbaf323c0a4859fd1dfff0f49eaf2815ff3a6975757bf95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
207c207435b42feba3d731187fcc6f99

SHA1
31abd81da12623cc76f12c9eb63f2e84a5f27bb0

SHA256
bd084585bc32e83d5073f2850a09d8592169484abd300cebe2f9bdf243f8f803

SHA512
f96afb4858116a0f7028cbfd418d0777cf49dd185bd01515adfbed6fadcf985ae5734f88316b0e02b8c41444878594349007711c80dce6da4d1b70bdc95a0e17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
01a5a6cc0947f362168c518439a88604

SHA1
76a5e64ba2592d7420b7500b7fd22541ccf3e077

SHA256
de657639e266a66d44b346e36f9020738d0dfc62768e5d9947c0f9daaec28540

SHA512
3140c18b9f9d8686923df6f4c1eb4e376719641d15eebaa767dc4feffdbc7f07703f6499f27ec2bfd86c27121baee078369219c08351a0da8b44d92c48755b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\46167a57-ebd7-4a6b-af60-1ac37ae20dd2

Filesize
27KB

MD5
2ed1ef87435014b3fcbef6eb69515d0d

SHA1
f2f1986c2de3a13754b814d3023f3315d8797572

SHA256
4d98204d56532ec7e3f31ea1f2dd9b6409fc8d0f6f74788d5fd02b8d06c0ed9e

SHA512
8fcadb7b31bbd063c33eaae640eb8a095e320d2e4c190503a552c175bf6d7721b287bfd826248773ae8b3e73bfb3ca67e0bcb653075bec1179441233354b7dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\91bd4527-7390-4324-addb-599b99068a54

Filesize
982B

MD5
466ae4599b8739641f8fbe06365f1fcc

SHA1
be8c96fc9698c8d102f2586a0f5ee4a63cdd8776

SHA256
74f078b5519dd42c456337cb58bf00d3dff111f2dbbf4f92bcc559dc3f4caad5

SHA512
9df77a9fd08d159f4400a5e37e5ecba0cd7928198499e2711f3133ba000a8773e8b4a62357c7ef29956c1a519194eac9ef525448dd2801d6b1bc03068da43f15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\a626f2be-5c4d-418e-a7d3-9e302ccd2169

Filesize
671B

MD5
7c7c950d482d2372b1cc6e216c7fbbc8

SHA1
1de488fa77a90e9b2031ef62b00dfdd439ed45e5

SHA256
742f5347a34bf7f4504c30356cda9a37d250c976e0b8799d074cde8eed52c501

SHA512
b4bf6b1daee0638ec906828cc26bafb41119af05bcc7861ebf90da1db3c6e956e37e37ae840cc7bee83d2142690b035df223089b90f3f20e696cb3061e099636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

Filesize
12KB

MD5
cc4a0a8ce7f0b8bdd2c3047bfcfcec56

SHA1
691db4bdfa3cb64e943b022fa5b2b5e3a984c95d

SHA256
0074ba2f85911621983c7e2392165fe0357d9a6dd9c10ca86458618de8f080a9

SHA512
0e8de3b3b425641719f80b4a71a8ff0ee9c7c149c1e9b0070e575b419c8b9de5eee9d577267fcd1f978d00728b45618fd678c954bc6dfd66f8e6d107b2c7a9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

Filesize
16KB

MD5
6fff848ed8ccaabd8a060683230ba8a8

SHA1
84bdabfbd5bc39b5b11d14d94fab8002731c7e21

SHA256
f916cbd10026c094de45b170f81c3cd8b13ee0f1784c76fc996d53cebb243486

SHA512
304c6f0206f80a499aab3b13c30bae01e683dfb4f4c7ead2085338906d839d75b60c56b85d42da46788869d6e76f304ce3419e78ea3741237db3af72c3ba96b3

Download Submit
memory/860-438-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2552-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2542-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-17-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-390-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2094-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2576-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-429-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2549-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-441-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-442-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2573-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-448-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2563-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2554-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-18-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-19-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-20-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2558-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-2556-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/860-957-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/2084-55-0x0000000000400000-0x0000000000FDF000-memory.dmp

Filesize
11.9MB

Download
memory/2084-419-0x0000000000400000-0x0000000000FDF000-memory.dmp

Filesize
11.9MB

Download
memory/2756-2541-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/2756-2499-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/3300-2562-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/3300-2561-0x0000000000E50000-0x0000000001329000-memory.dmp

Filesize
4.8MB

Download
memory/3920-71-0x0000000000110000-0x0000000000353000-memory.dmp

Filesize
2.3MB

Download
memory/3920-321-0x0000000000110000-0x0000000000353000-memory.dmp

Filesize
2.3MB

Download
memory/4912-2555-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2564-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2543-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2577-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2551-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-38-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2553-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-428-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2574-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-585-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2557-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-443-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2560-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-1525-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/4912-2498-0x0000000000F10000-0x0000000001A0C000-memory.dmp

Filesize
11.0MB

Download
memory/5116-4-0x0000000000FA0000-0x0000000001479000-memory.dmp

Filesize
4.8MB

Download
memory/5116-3-0x0000000000FA0000-0x0000000001479000-memory.dmp

Filesize
4.8MB

Download
memory/5116-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

Filesize
184KB

Download
memory/5116-1-0x0000000077546000-0x0000000077548000-memory.dmp

Filesize
8KB

Download
memory/5116-0-0x0000000000FA0000-0x0000000001479000-memory.dmp

Filesize
4.8MB

Download
memory/5116-16-0x0000000000FA0000-0x0000000001479000-memory.dmp

Filesize
4.8MB

Download