redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqa3lsRThocm9FcDVqWWJvdW1hMEY5VFBvLUlWQXxBQ3Jtc0trVktBRDJCMWpRNlgzZkdFZHZzR1EzODlKSFhUdzZzazdSV3dmR21FQlB0Zko4TzVHUGdTNGRuYmdvMGxLbklITFJGWWxVeE1zMGM3VHd2UG8wVWRRdTE0WXBmMVlOYnJycEpaT19IbUVzeVVmUDBmRQ&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2Ffk8hywirwuutc%2FATMpengEx&v=UWLI-1DX_aY

Analysis

max time kernel
77s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa3lsRThocm9FcDVqWWJvdW1hMEY5VFBvLUlWQXxBQ3Jtc0trVktBRDJCMWpRNlgzZkdFZHZzR1EzODlKSFhUdzZzazdSV3dmR21FQlB0Zko4TzVHUGdTNGRuYmdvMGxLbklITFJGWWxVeE1zMGM3VHd2UG8wVWRRdTE0WXBmMVlOYnJycEpaT19IbUVzeVVmUDBmRQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Ffk8hywirwuutc%2FATMpengEx&v=UWLI-1DX_aY

Score

10^/10

redline credential_access discovery infostealer stealer

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3588-1284-0x0000000000370000-0x00000000003C2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 1 IoCs

pid	Process
4192	SadrickSpool.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4192 set thread context of 3588	4192	SadrickSpool.exe	121

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SadrickSpool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\DaffiLoofr.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe
3588	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	4124	firefox.exe
Token: SeDebugPrivilege	3588	MSBuild.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe
4124	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4728 wrote to memory of 4124	4728	firefox.exe	84
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1612	4124	firefox.exe	85
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86
PID 4124 wrote to memory of 1944	4124	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa3lsRThocm9FcDVqWWJvdW1hMEY5VFBvLUlWQXxBQ3Jtc0trVktBRDJCMWpRNlgzZkdFZHZzR1EzODlKSFhUdzZzazdSV3dmR21FQlB0Zko4TzVHUGdTNGRuYmdvMGxLbklITFJGWWxVeE1zMGM3VHd2UG8wVWRRdTE0WXBmMVlOYnJycEpaT19IbUVzeVVmUDBmRQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Ffk8hywirwuutc%2FATMpengEx&v=UWLI-1DX_aY"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa3lsRThocm9FcDVqWWJvdW1hMEY5VFBvLUlWQXxBQ3Jtc0trVktBRDJCMWpRNlgzZkdFZHZzR1EzODlKSFhUdzZzazdSV3dmR21FQlB0Zko4TzVHUGdTNGRuYmdvMGxLbklITFJGWWxVeE1zMGM3VHd2UG8wVWRRdTE0WXBmMVlOYnJycEpaT19IbUVzeVVmUDBmRQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Ffk8hywirwuutc%2FATMpengEx&v=UWLI-1DX_aY
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c135b50-8fe3-4f51-86a4-d212466e1977} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" gpu
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2492 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eef2e29-c416-4a0b-bafe-aa3d8fef7a22} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" socket
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 2852 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1dc64f5-d976-4250-b0ce-50d9da4cab2a} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {374e5b38-cd13-4e71-850f-5d2275c950c3} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4640 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ff530ca-de24-4536-9009-422a9d606787} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" utility
    3⤵
    - Checks processor information in registry
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5536 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3d7f868-7648-44ca-9f34-69d0f8e3a5e4} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f77972f7-a2fc-49c0-bdb9-043053d3406f} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4d3c1d1-9f3b-47e0-8fb7-fe23b7985fcb} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:2260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 6 -isForBrowser -prefsHandle 6152 -prefMapHandle 5556 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e4e1dbc-d47b-440b-9c2a-92dc5ac9226e} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -parentBuildID 20240401114208 -prefsHandle 3684 -prefMapHandle 4084 -prefsLen 29119 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00ea94ac-c698-408a-8d10-5f4e75b4e28b} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" rdd
    3⤵
    PID:2520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 7 -isForBrowser -prefsHandle 6604 -prefMapHandle 6592 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ca7bb35-6fbb-45ed-a4ce-24797b398e0b} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:3764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6900 -childID 8 -isForBrowser -prefsHandle 6912 -prefMapHandle 6908 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd1e82ef-9ff3-42fe-867d-2ecd21a5177c} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6952 -childID 9 -isForBrowser -prefsHandle 6744 -prefMapHandle 6836 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4879b0e6-2cb4-440e-83c4-3b0f648bcfd2} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7116 -childID 10 -isForBrowser -prefsHandle 7124 -prefMapHandle 7128 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f28f988c-2582-442a-a06a-48ae3e3892dd} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7352 -childID 11 -isForBrowser -prefsHandle 6928 -prefMapHandle 7148 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5cf8e3-4c83-4007-a336-ffaf980cf55c} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7520 -childID 12 -isForBrowser -prefsHandle 7528 -prefMapHandle 7532 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7427ea36-03b2-49c2-878b-8c39cc0dde1e} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7976 -childID 13 -isForBrowser -prefsHandle 7996 -prefMapHandle 7992 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ab770eb-4e3f-43bf-8a66-1358fb9d8575} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 14 -isForBrowser -prefsHandle 8064 -prefMapHandle 5920 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbcf16ca-1d5d-42c4-a307-ca9ed36411ff} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" tab
    3⤵
    PID:5668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5168

C:\Users\Admin\Downloads\DaffiLoofr\SadrickSpool.exe
"C:\Users\Admin\Downloads\DaffiLoofr\SadrickSpool.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

Filesize
35KB

MD5
dba0ad4f49553e0acb22c3abb09dac14

SHA1
a640d68ffb05f19420f5f18b4f6e2bc6ded02e41

SHA256
9058a7927629d9b90a205602aea5c843783aa0800897207ae8994d5dd9fb46b4

SHA512
426e5d3187c01d1102590a3110a49eb9a3016f0b8490557998427a80ad91bea3024aee5b8b8f72f1435ab1decda14d4583cbd70909b0bf782a3ee46b08fa7ca2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\03048E25D5CAF20183F867520BEB3F7A2B0F527B

Filesize
255KB

MD5
40a42d4d2cd58e4a8e526c19f80e738e

SHA1
ca063d92e364e71f9a8af4eb1ee54cb7ece8d9dd

SHA256
b319fd3743d211233f59f8e33ef3aa5a8cdc0e7f680c6ed69435387956ac24f6

SHA512
af0cf3b7d841b73aac3896d19b3764f25890fbbf575211f41756b584c040f9c2251ce34117d863ac6b1ee9f6627d0b235f5ad4515a70ea8cfd5cb256f378fe23

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\6C789DCB3C16DFA27192AFB8FB676E120FF78155

Filesize
1.0MB

MD5
5d56450362ff85288a8235775e9c2012

SHA1
6a5479956b089734bc03216500bf90b54deceb0f

SHA256
1ba4d22f326f67e2850dd077639846acf00831393e2958e66e25697ff59d7206

SHA512
42ce19f7998b55668f1c2de280aff075d41a5e8499e19512cced7dcedd43b7875cc6e9714f3899da1bf09c8cdb58852a228fd0a6b6654b8469b711617e331e4b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\C7140060E768E4B31CA72B49A794E9AFB7593544

Filesize
104KB

MD5
c4d22b79f5dbdb2fd5284d7a58d1c7a3

SHA1
f47aa42912616cc452ca7aa493337da85c06f305

SHA256
8b94da53ea3e5a7d7863ab01c3e0d72fca6be5368ea8c1ed396af07314c0c562

SHA512
c23140d3d21a829d9d634b94710d686020e0a7f989e87bd5c3e1ed9f54f4390efcfb5a4ec4230cdd21f8c4d6fa1ab79c8e1e0aa0ec53191459d9df74375efe81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\C9B0FDC6C151017F38732044B091B6654A9967B9

Filesize
44KB

MD5
6528498c2f4f11a1a508f72c0e32d7d6

SHA1
5d816fb0bb969fd1d213de4137c7eda43a0d1229

SHA256
5d96e2368ff00f4adfcc3e588ba20ebeb37e30c0c65e9e93546a881f04286844

SHA512
e075d983c62a613569abe7d1f0901532c6a2494b7fbe217ab80a960d63344ab2600ade42f6d24652e2be76bc59c31b935eeb55972418a76b4f810967d2891025

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\EE6B0B8575C52CE7C61FB234F57913C1DAD4723D

Filesize
534KB

MD5
b04b2700a570a01427f389576d00bbd1

SHA1
3acfa5074e05b16b15383cf57ec15fec253543d5

SHA256
3971393a0d74b179fd19c438bfbb139fd2e1f11f3cc7c8d40607d4e40dce26af

SHA512
a33bac6bf2726fc57c47c7266267f64aed388bdd443a2c2b7d195aeacf35e2e7f4ff9579baaf362d6899ea8f1685ee5b880085d821e3f5601a93d253876452e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
71KB

MD5
fe3b5586423f01c41f2611c959d48129

SHA1
1a0784b0968516a3bcdfcd183ca0c1a6390080bb

SHA256
f4435abd01d5e707633b24db2e7792d88baa10c09d3c1d792f136c31177c7969

SHA512
8d3f9eb03bf6c65549157c3f8d76fc3620ded0477c1a746426985210250b37776c265886dcbec256af31157e8bc238d68713a87ae771de9a5126f61d4fd51d52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
74KB

MD5
3f96649d6c9c0c85c22f2723c13de35a

SHA1
10b342a10b703d95c494c5b67e7d9567b26c4270

SHA256
384bdcc795afab912f9512f6776b53c0d156e4efc456f78a51132ec78244b693

SHA512
26cf6e7832de70cd4ec2d9bcf5632a36c28693ecaa526f5f1faf4ea0d4d479facb5af6cbcb48632f8d2285861b87af3e420dbf11bfcd3c5fcfc378ee3f8f0f8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
8KB

MD5
f3fba1c9632844c835138186ff7d8e52

SHA1
ca64cced0d2aca904704648da000f38e8cb6879a

SHA256
c1cc6b5e789de173d8d330e93e26e8db4c42ab345cef5fbd7cd38cdf0c9fefa0

SHA512
4526597d2aa5a00d3abf05c7b5ebb7c53878d9f2550823dd71ce6a9eab821d94b9483b3bf21891afc6037a0e6c7723dc6918a7e7e7aa3cb27233439b7684a58e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cookies.sqlite

Filesize
512KB

MD5
1bd12b02e1b4b9b398658d11004d95c5

SHA1
610faf1ed7c0bbaa3fe0796be49363ce5eff1ec9

SHA256
a6c9e246e8041bb04f24e2c65cad6dfa9048a3dd8db33b1c279c0e0f06d212df

SHA512
3baa7a28bcda10546f1ac41a5b35ad9e68e65e336b4663369cfd971384e75bd26cb0bb4bfe8d6d4ee3057420b7e961419fca9e5668568adb45d3a93ed5b84a57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4ca7d46284d483097c28360415e1e55c

SHA1
d8e2dd075f78614aa06d447dd66a620af8095c1d

SHA256
d78cb6c3743609cd1d9db7077b9f86aef58532bc8bd794240a83830dc4cad3cd

SHA512
25ac0a91780c55da8446a0bbd0fc25beae4b98f1b3a0bf91560ae17ec03c8a7c2e632f35d4b0bee6cc4e4aa7d8c9a64b2d824ed793e050afe28b399661365350

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a8ab822ea7f0021c114e5aebac1e5d46

SHA1
9b968cf8b8b720de1a6c5bb14f48ef379851b657

SHA256
32cd9b0605f9cb3ca4739fd969498a4145f98357d24b21884498c361edbcbb71

SHA512
25742e6d853db9d346a626470384ea3625d3d2a8b1df7a74a0f57715f7e0a7a9a2f892425a4af4d72e4c0b7e34bf2e66a02cedfb695791b9a87128910fb15a28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ccc760285a25b067343a72d6c30214a0

SHA1
b20cfc4536e473464923bdd9ea4702118bce2110

SHA256
1cf62bfb360add8c80b3cba586cf0b9360637f79e02bee2a9ee2776f34e55471

SHA512
54ef83adbdd4a51bfb5df1da2073db33cb9da546dc5c4945a3c3afce216175a41c31a498788a2838f7793e684806ca7dff386fedae28ce295464a9f58e67cdc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
314561bb9ad1da811135d3cac09d1081

SHA1
265b6129b5c1ce6e9377a99cf5a62f1b5646b7d4

SHA256
1d5f358afaaa599d7a8a725ee2501bed54a66a3071a3afbd1565f959c109cb19

SHA512
ac6c75179cf675c5b008fe53cd1a6d3de4cebe8d0fc0fa797bfed4360e4d5272ead3e96c15bc85dabba04593485d82b8b6a81fe894c23e9246f020b628c65638

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\b4020e02-e99a-4060-aada-0f9fd9c74243

Filesize
671B

MD5
4c05f9f5c21e213240cb61a832919435

SHA1
3459526759730fc211b9f5f083966109d09ab760

SHA256
2fb6daffb3f57242d96cee216b59246910aa301e654ef69a950feb3ab960dda2

SHA512
fdee2e9871301ada0619d418f4b23357715beb635ea7d8fd4c420fbde706e6de18cd1d5f60478e75a11f9e669d0e7f64d9c7f7fbcefa57893662278ef4d701a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\bc105f3c-dd5c-4b7b-9141-c259023506d0

Filesize
982B

MD5
c7d9df27194be21047029dfab1ef63c9

SHA1
b73202185a01ca3e35e4113ca73fd811b4bb6b01

SHA256
72c433bd36c34cdd5b7199b544d0722f9d1615e77ce149806dbd4320e1956f0c

SHA512
6dadc0d631fb573dc2c1e3368e6bd6279109ea1eb334fea709716c04ac8d6066a667428ae0f2c0c6f03734a128df0be86f12afcde0b6334d30ce00746c1aba28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\e488d59e-3190-420d-b548-cae0ea34c93f

Filesize
28KB

MD5
eedf387cda8fb4bf36224759624fba61

SHA1
7a6830ea16f7ee1f531b7d70f8adc5d9be48e97d

SHA256
1b6be8b329d08e9f2456969b3e683aa719da76e28c1598e30b8fde0d24cc1ee0

SHA512
cc92864b83204437468ca8ffa4d799310ea2eeef8d9a506a43183c2e43c02f9c106adbc1bfd75d91b77018604a88150ea2d11643a199e72f921c71b2670b2f50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
7032c0cf07dd9c53b1710a1004ee930e

SHA1
fec7d4042c05e852356a1474fc29128ee8bb36d5

SHA256
e0428d10bafb99083de63c86d6e3ed0ba664ba99fdb57f496adf33922b2d3bc7

SHA512
8b145895c14bb07eb9b78fcff0c1f67c9d3c29ff0563ba7e5181f98b59bb76a4908aa55fcd556e75febc7de0638618f4dde0dccb431b861f5931c4d902dc3d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
10KB

MD5
ab08cb3ce2492b6bb5c67b95056f9d84

SHA1
52893866774542a2d3036acb7ac754440c64a403

SHA256
8308bc0d9894d41ebe953072e7ab58626114acef36757a53acf5cea68f725346

SHA512
c710ab41b716660235a8065a93bb5a68c88ef84b9a825c92e160d4a37dcd768110014eb6528010e001f4a15837b3b6e16750845bf20a6ec51bbe7bc3bd0dcada

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
756a2b90e98ea5db1194635e348f08e5

SHA1
dc73caf2af8df1882f0acbff22bbd9f0a76f583f

SHA256
b475fc5d65f4640ac0393664576e2034bad0fefb3d0c328b41aed3d4b04d824e

SHA512
0a53b8ec3fde21d1a0dab8be8c03f5cf87a5b76679b36c072c8594750891db93a3b2ba6e1abf87b358f30cd52df9f8f2ed9be07e82607d0dfb7e092e33113773

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
da47e1699e82261a9c9d022db982118f

SHA1
c3473c37bb9420b74aba83985fc278d194faa553

SHA256
4b599e0a92b90e4069b6555742138ef470f35f86c899823c83f0619cd06e7400

SHA512
0291876dc20d04524db393be80810d35ef3446c36c98a988cf854bc304fcc52d3cd935326659c13abe10f59e8aa25b0c717235eb4b51b9c22c2afbf60e4226f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
e85bf1214b9dd4ad4dbe18be0519afcd

SHA1
e88d2e24d5f6d38011960fa92d2d9244b030f418

SHA256
0e23681fe28909539a31d258279ff4ca6628b45d97c69a5a988994dce8aa0fbd

SHA512
8b70b7cc4238d541e2125524e62c0a1dcc9926728bdec077f6a716b95403d0218d581fb6caf6834f301415c2adcc7f16025df0295f38e519433c2c77973f27f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
918df2f7854d792c27396afe1a8709dc

SHA1
553e41bbc60d1b144397502e692cfb7edbf6781f

SHA256
62b82d67e43e811cde40178171fa7ede285b668644933f8bf62ee79162fbf397

SHA512
f5406345e2edaeb95cd987d1a2dbc8e316387de546cafd013b1ecf685b2563965bb4b1392b1159545ad5535da22e4c0429c65358f5c5f3cadf9301d4b22407fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
552KB

MD5
786a9c42fbfa32c08bf9c20b310fd2e5

SHA1
afb2c2a4e96ff50f193b067a20ccd5001bb544b2

SHA256
229e699121afbdd60e9fecb538e1f1ae96e5a691edcb8cd4bf5d6288682d0cd3

SHA512
dc4ba7f993b581eabcaa31e22141ccf6bd1c5beb0bed938d222762b26d6a59d49070bbf5caf78f9b098dc750a9408c605070fac181a4d6a55ddfd677a3f8e9a0

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
615KB

MD5
4e9fc7c937986d4d39c38f8b75d38d1e

SHA1
51f84e2a3c15451bff007d9deacbf06a380733c1

SHA256
f939619742f647af07ea6abc2ef497a4b1864b59b3fa828388de81df45210792

SHA512
148ee1765e0e8268607d1cde2c6cddba3dcc9d95479f053c1908480e8e754f22f1a2a57011272132212b0b9e0ab42459e74d54608045515d2164afcdcde45fef

Download Submit
C:\Users\Admin\Downloads\DaffiLoofr.i8ZCEPaQ.zip.part

Filesize
13.6MB

MD5
cdf7e2e5941cbe700373d5f53754a758

SHA1
4f4bc7206910613506f57c9cfad00c754f9d11a5

SHA256
e9882bb366cf75c3c95a358cdf13371dcf3063f6a241dbb0f09168ad1bac0941

SHA512
738a58a9a860f29d2a9a21b09403edcd18b17e5072efdb05c3bc12eefd59e86e4a9722d1bed36a88f9f6a3c9b9185ff760dee86d426557c1a665dab05a85744d

Download Submit
memory/3588-1294-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/3588-1292-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/3588-1284-0x0000000000370000-0x00000000003C2000-memory.dmp

Filesize
328KB

Download
memory/3588-1304-0x0000000006E30000-0x0000000006E80000-memory.dmp

Filesize
320KB

Download
memory/3588-1302-0x0000000007060000-0x000000000758C000-memory.dmp

Filesize
5.2MB

Download
memory/3588-1288-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1289-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/3588-1290-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/3588-1291-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1301-0x0000000006960000-0x0000000006B22000-memory.dmp

Filesize
1.8MB

Download
memory/3588-1293-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/3588-1300-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/3588-1295-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3588-1296-0x0000000004FD0000-0x000000000500C000-memory.dmp

Filesize
240KB

Download
memory/3588-1297-0x0000000005050000-0x000000000509C000-memory.dmp

Filesize
304KB

Download
memory/4192-1276-0x00000000000F0000-0x000000000015E000-memory.dmp

Filesize
440KB

Download
memory/4192-1277-0x0000000002450000-0x0000000002456000-memory.dmp

Filesize
24KB

Download
memory/4192-1286-0x00000000772A1000-0x00000000773C1000-memory.dmp

Filesize
1.1MB

Download
memory/4192-1275-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/4192-1287-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download