amadey | 55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/08/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Size

1.8MB
MD5

6a8855023dca6226bcfd23ff4ba3a6c8
SHA1

aaed3742a5352026e782f0b57431773039b7afdd
SHA256

55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6
SHA512

1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05
SSDEEP

24576:3CpZ7HMIDGMJdMKR0t8Ag5GzQiu5/VIvxfaOUvGghrDJZ9BbwEw3HKV+Xnt:EZ71DuKRzAaKQiu/gs9eiJPBJw3Hr

Score

10^/10

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

kora

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Executes dropped EXE 7 IoCs

pid	Process
780	explorti.exe
2756	aa630bdd3c.exe
3636	3990518d4e.exe
1632	f7df2e71e0.exe
4948	explorti.exe
3804	explorti.exe
5536	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Wine	explorti.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa630bdd3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\aa630bdd3c.exe"	explorti.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3612-44-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe
behavioral2/memory/3612-48-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe
behavioral2/memory/3612-46-0x0000000000400000-0x000000000052D000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
780	explorti.exe
4948	explorti.exe
3804	explorti.exe
5536	explorti.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 3612	2756	aa630bdd3c.exe	84
PID 3636 set thread context of 3272	3636	3990518d4e.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa630bdd3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3990518d4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7df2e71e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
780	explorti.exe
780	explorti.exe
4948	explorti.exe
4948	explorti.exe
3804	explorti.exe
3804	explorti.exe
5536	explorti.exe
5536	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	2268	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
3612	RegAsm.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe
3612	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 780	1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe	82
PID 1420 wrote to memory of 780	1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe	82
PID 1420 wrote to memory of 780	1420	55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe	82
PID 780 wrote to memory of 2756	780	explorti.exe	83
PID 780 wrote to memory of 2756	780	explorti.exe	83
PID 780 wrote to memory of 2756	780	explorti.exe	83
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 2756 wrote to memory of 3612	2756	aa630bdd3c.exe	84
PID 780 wrote to memory of 3636	780	explorti.exe	85
PID 780 wrote to memory of 3636	780	explorti.exe	85
PID 780 wrote to memory of 3636	780	explorti.exe	85
PID 3636 wrote to memory of 1340	3636	3990518d4e.exe	86
PID 3636 wrote to memory of 1340	3636	3990518d4e.exe	86
PID 3636 wrote to memory of 1340	3636	3990518d4e.exe	86
PID 3636 wrote to memory of 904	3636	3990518d4e.exe	87
PID 3636 wrote to memory of 904	3636	3990518d4e.exe	87
PID 3636 wrote to memory of 904	3636	3990518d4e.exe	87
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 3636 wrote to memory of 3272	3636	3990518d4e.exe	88
PID 780 wrote to memory of 1632	780	explorti.exe	89
PID 780 wrote to memory of 1632	780	explorti.exe	89
PID 780 wrote to memory of 1632	780	explorti.exe	89
PID 3612 wrote to memory of 2580	3612	RegAsm.exe	90
PID 3612 wrote to memory of 2580	3612	RegAsm.exe	90
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2580 wrote to memory of 2268	2580	firefox.exe	93
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94
PID 2268 wrote to memory of 4588	2268	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
"C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b118abe-3b39-4ee9-bbda-4c9ae058f35d} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" gpu
        7⤵
        
        PID:4588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {257bfdfd-e136-40e2-a158-2106d30a671f} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" socket
        7⤵
        
        PID:5020
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1524 -childID 1 -isForBrowser -prefsHandle 2804 -prefMapHandle 3040 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834d8a2f-17b8-4fdc-9972-bb9584f858e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:4780
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3496 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7674a4fa-f35d-42ea-a854-409247fb30e3} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:1620
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4532 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ea7d5f-4163-4e3e-9239-baae0c26ba56} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" utility
        7⤵
        Checks processor information in registry
        
        PID:1848
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14869bc3-d2af-4f4c-b693-a6f251bba938} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:5700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5576 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3868653-7684-4abc-8f62-6146c1fee0f6} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:5744
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8c6faa-4174-4c61-8e5e-a382b0d6598b} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:5756
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6292 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6284 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {844bf7d7-ed28-4464-801d-967d37ccf8a7} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" tab
        7⤵
        
        PID:536
- - C:\Users\Admin\1000037002\3990518d4e.exe
    "C:\Users\Admin\1000037002\3990518d4e.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3272
- - C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1632

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3804

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000037002\3990518d4e.exe

Filesize
207KB

MD5
510bbbc4aaa1435c2fbaae4a72ad2055

SHA1
8fcc653c1da4c9b641b0ee566565ae27127687ce

SHA256
cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222

SHA512
4701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

Filesize
41KB

MD5
0b228b260337da37810a5bcd205e78e4

SHA1
d0e31cd9b1aeacfb9ce26b648ea67f4004700f87

SHA256
f5c0dd67961130187916289781eacf50caf1364f2b7518953c93107cb0800a29

SHA512
b4d24b6bc7176e53ea3a0669fbd8651a1794fd8de30e84722af8f97b6fc9c3757501b93c631ab818cde2d911b994c8d5248467d0bb90b9681ab86d786013b199

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
72db3c01928fb413013efc3f45401ba0

SHA1
9492c9eb4d257cf5ed1e2c3a515573851e0a9119

SHA256
5280487206a1e1aefebcd55b47762f4a8744ba07ddf58cbbb78734fc94d868c3

SHA512
bb11231fcc31ba182a829a57afca75b957e3eea81c3cd4bd980e5400c14aca51a923a946a435faafcdeec6c72ecc314a291f966d243fea4b180063c38932124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
6a8855023dca6226bcfd23ff4ba3a6c8

SHA1
aaed3742a5352026e782f0b57431773039b7afdd

SHA256
55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6

SHA512
1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\aa630bdd3c.exe

Filesize
1.2MB

MD5
75a2d87eafbefb74dc8bab6fec16cac1

SHA1
c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369

SHA256
0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a

SHA512
1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\f7df2e71e0.exe

Filesize
187KB

MD5
278ee1426274818874556aa18fd02e3a

SHA1
185a2761330024dec52134df2c8388c461451acb

SHA256
37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

SHA512
07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
7KB

MD5
9ca75c74dc0f850d16210dc3e70b3943

SHA1
dcf3547461a42f826d1ba90a611ecf24f16dafe7

SHA256
3ff7c2396f66fe41d96a0284611ef619b11dd8535f0ffd2c6b7a96bbc14b4f40

SHA512
8cf91f9dcc4b8d171640e62dbd5f19e02c79d320e25dd9e174357d766ebda3299eccc74f54292723339f19e2aacd2fc795a808d672e8fb09e104d419d2aedcca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
10KB

MD5
9d233287b328fdb88aca6e508a393332

SHA1
c0449055ec69632f610ae3c2b283ccec71d838c7

SHA256
4f3c1dcbc0cd25e98f9eef6d19b69bbc07d5fbe9895b892e5fbf5a6f04eac4e6

SHA512
030f4ebaf6359548ccb2ff9387dd3625867803a526befaa3c9e71f81176e1a2c3014b0ceb07cad64f4450c1bc9f267d0765a4ced3d05541480295b7d429d86f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
99908e397257dac8466a0ee9d43be9dd

SHA1
ab2fde0b227b106afa09cf95b3a46153889934dd

SHA256
84991ddbadbcd5d43d5948d001e76392042ad7c2ec3edda9a6a56d21999e1472

SHA512
e9ca157f46409cefaf612de0e5b85633224b44c6898c872db460bbcde48f7d7fec4c0f02daddc3c36257b258f85c70c9a89a37c1f9d7c327fa6e9ec8a5dfde59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
10e94b5f038fe593cbcb18067e7609d0

SHA1
c64c56ec5bd67cbfbff471600537731908178fe6

SHA256
758ecbf0161461ad28635337e051efa4002c3b3a1f45ea06e0882412387df02d

SHA512
9ce4c6bb4946d351c66c0a669c7c0129f9c6255d99c29fad0a20dee94a5dbe22a2c10ab2ddddcc0b9171421a5a5bb87fca1b4fba379ba280d96951c2ddb04b30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\59b4d5c5-949f-49ff-9d0e-777b7224aaf0

Filesize
982B

MD5
843b5c51cfe3a6a5f079db055fe2c787

SHA1
6f095ebf92be36d888efe9beaab4453db240e25d

SHA256
b31640002b9deedcdd5644a6de6de8f6fec6a91c5c21d3b4afc0dec295ce70d0

SHA512
c9c3614f61561ad57c70187735a5104e4d9990e48d35603f6c9d5b7e49ce6dd7fd3a786c738dbb3f7f169897b9e550fae82f4d3a1c4b578cb6ad87a5905db4d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\91f84ebd-0dad-4690-b351-977ff5764a27

Filesize
671B

MD5
e66800dcf46dcbfd9e8a44278b6438ae

SHA1
39914a78abe6b298bbad723dd48c3f4ce0fe58a6

SHA256
634fb5b5e481ec0024c6d0fa087970f415b755e889239999c7499b888e9637a4

SHA512
7393cef845db758471243b1e60ba1e7cf2567ecb2d6e6eef403cfdac48348a4406ce47745cff09568fd425a64ae8f64e37e2222ae5c3f4ff951ce25d7b03a8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\fdd85613-9796-4efd-8da6-ef7231c3a250

Filesize
27KB

MD5
19a7da920d874893a57fb9d8e5ffe89d

SHA1
1f1d0590752e3a5ec3f643a9320e9cbc33358718

SHA256
f88659779b3105aec66484114f1f4fbfaf796d9d70e2c6dcc457530f16e11be3

SHA512
ab0c3b0e7325ccdc8d34b44fab89aecd32876b43d8587069da346653f8704405105a858ad538b1b1c6eca2ede0c9d70ef7bbe08bbed31ad41f2830e9838f38b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
12KB

MD5
10fec288cc6c43b91be6ff93f31c35a8

SHA1
ee3158f3e29c9f67678d9cbc1b5f2b118deef67a

SHA256
05c3354803094ef59694520201daadeb7d053627856e0daab18c8eb0efc4f3aa

SHA512
00f042a927ebcf0b0f585a36d5424ae397a1cf6e4812d4094409db58ab2f8821d9987af683e67e21bae17cf21e5c0bf791d175a5be19542b0c4ddbfa076d67d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
16KB

MD5
e8c359468500c2e73e1e0454e0fe873e

SHA1
856470ad88d58316b83fbba6a9e957d69cad67c2

SHA256
23d2768a672a0f7caeeeba2c51cc1a68a373c79740b12960934b38bd41538e36

SHA512
da0436ed26b7aa1c79c237cf18e7e1c246bc9327114488c57cfb16ca7e55e556f8c2e35b9654837b352d4ee08b6408a268890af289f85e111bd5759d60ad00a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
11KB

MD5
9f1f341c35552d3281934fe87d12b396

SHA1
4ae31cc73e6c1cbe7715ef4f9f6723987e622f7d

SHA256
3b9dcd1dbeefc18ee430adb328d51da586d62dab6061ff9b37b8f43c79837006

SHA512
9527e021b2122652da483b6a0e79a5ee0bbca43ac0af88f807976b63142fc4a16ccdc6c4ec370c9760b4fc47b27c919399b889e90c40026b488b67dd0a29e49c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
10KB

MD5
3bd8cdb13c1eb0d5a720dc167d0048e2

SHA1
a6143b65e76c6ddcd2319004ec692e1010aaba43

SHA256
6b9e8baa5e5a64e8021f39820a22e1db6daeabace403a85067aaa107cf2c4bc9

SHA512
98312478a40944db619ccbfb5f1b5958403fcc63668e02c48377110b1a0f7fab41fbdf68118ef3fca6a165169ceadd0b6fbb89403f18090ec1aace73837729a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
9fc2d176e9d9d959c1b5eec75aa8d36b

SHA1
5b5d163d92cbcb5454ed1f787e1963fa4b849f5f

SHA256
b2fdcb5245083fb0aaa39a7f5b1d18a619422b10cfb34e908656467023251d42

SHA512
a538f1a4c5dc42fc62eee797644181325036a3176e52d91b310cb9bf5cbf83e556bb83392d0f01466905da07229489696ce43347132b6c34b00618969e27db97

Download Submit
memory/780-2607-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-18-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2626-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2624-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2615-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2614-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2613-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2612-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2608-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2600-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-454-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-469-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-472-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-475-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-2188-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-1131-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-483-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-22-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-21-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-20-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/780-19-0x0000000000441000-0x000000000046F000-memory.dmp

Filesize
184KB

Download
memory/1420-1-0x0000000077476000-0x0000000077478000-memory.dmp

Filesize
8KB

Download
memory/1420-16-0x0000000000190000-0x000000000065A000-memory.dmp

Filesize
4.8MB

Download
memory/1420-5-0x0000000000190000-0x000000000065A000-memory.dmp

Filesize
4.8MB

Download
memory/1420-3-0x0000000000190000-0x000000000065A000-memory.dmp

Filesize
4.8MB

Download
memory/1420-2-0x0000000000191000-0x00000000001BF000-memory.dmp

Filesize
184KB

Download
memory/1420-0-0x0000000000190000-0x000000000065A000-memory.dmp

Filesize
4.8MB

Download
memory/1632-87-0x0000000000330000-0x0000000000573000-memory.dmp

Filesize
2.3MB

Download
memory/1632-88-0x0000000000330000-0x0000000000573000-memory.dmp

Filesize
2.3MB

Download
memory/2756-42-0x0000000000C10000-0x0000000000D42000-memory.dmp

Filesize
1.2MB

Download
memory/2756-41-0x0000000072E3E000-0x0000000072E3F000-memory.dmp

Filesize
4KB

Download
memory/3272-69-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3272-71-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3612-46-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3612-44-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3612-48-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3636-67-0x0000000000760000-0x000000000079A000-memory.dmp

Filesize
232KB

Download
memory/3804-2611-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/3804-2610-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/4948-476-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/4948-478-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/5536-2628-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download
memory/5536-2629-0x0000000000440000-0x000000000090A000-memory.dmp

Filesize
4.8MB

Download