lumma | hxxps://www[.]mediafire[.]com/file/g0d6df68cz7migc/Roblox_cheat[.]zip/file

Resubmissions

29-02-2024 07:05

240229-hwjd3shg3t 10

29-02-2024 06:58

240229-hrjt2shf31 1

Analysis

max time kernel
218s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/g0d6df68cz7migc/Roblox_cheat.zip/file

Score

10^/10

lumma redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

45.15.156.142:33597

Extracted

Family

lumma

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/4044-169-0x0000000000B40000-0x0000000000B90000-memory.dmp	family_redline
behavioral1/memory/3332-247-0x0000000000F70000-0x0000000000FC0000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1552	SoftWare.exe
4044	SoftWare update.exe
4668	SoftWare.exe
2320	SoftWare.exe
3332	SoftWare update.exe
5588	SoftWare.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 4576	1552	SoftWare.exe	141
PID 4668 set thread context of 2788	4668	SoftWare.exe	155
PID 2320 set thread context of 3860	2320	SoftWare.exe	160
PID 5588 set thread context of 5784	5588	SoftWare.exe	165

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{81C8E751-F72E-428A-95C9-C45FEA9B859C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
4044	SoftWare update.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
3332	SoftWare update.exe
3332	SoftWare update.exe
3332	SoftWare update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	4892	7zG.exe
Token: 35	4892	7zG.exe
Token: SeSecurityPrivilege	4892	7zG.exe
Token: SeSecurityPrivilege	4892	7zG.exe
Token: SeDebugPrivilege	4044	SoftWare update.exe
Token: SeDebugPrivilege	1280	taskmgr.exe
Token: SeSystemProfilePrivilege	1280	taskmgr.exe
Token: SeCreateGlobalPrivilege	1280	taskmgr.exe
Token: 33	1280	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1280	taskmgr.exe
Token: SeDebugPrivilege	3332	SoftWare update.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4892	7zG.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe
1280	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe
2072	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5744 wrote to memory of 5788	5744	msedge.exe	123
PID 5744 wrote to memory of 5788	5744	msedge.exe	123
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6016	5744	msedge.exe	124
PID 5744 wrote to memory of 6084	5744	msedge.exe	125
PID 5744 wrote to memory of 6084	5744	msedge.exe	125
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126
PID 5744 wrote to memory of 6100	5744	msedge.exe	126

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/g0d6df68cz7migc/Roblox_cheat.zip/file
1⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4756 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4712 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4528 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5992 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6228 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5416 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=1320 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6700 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6552 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6968 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=7212 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=7044 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7084 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6112 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=8172 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=8320 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:1
1⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7108 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7452 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7148 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7fff77ac2e98,0x7fff77ac2ea4,0x7fff77ac2eb0
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2236 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3516 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4608 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4640 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2144 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4848 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5272 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5264 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5524 --field-trial-handle=2244,i,17105838980355961159,11835320340507917140,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:5640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Roblox cheat\" -spe -an -ai#7zMap2325:86:7zEvent22306
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4892

C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4576

C:\Users\Admin\Downloads\Roblox cheat\SoftWare update.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare update.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2072
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Roblox cheat\settings\profile.settings
  2⤵
  PID:456

C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1280

C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3860

C:\Users\Admin\Downloads\Roblox cheat\SoftWare update.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare update.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe
"C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SoftWare.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7538b5adc650a4d3d8496eda00d7dfb9

SHA1
1ef2750bafe5b6f4a04439ed9a0f047b9fef3703

SHA256
2d719dc59f89162df773142cefaa76799a905096752038738c7031e283121ce7

SHA512
0e5c0914d73a78ba64d40cdd601b44d73517ae3f40692e106f8104243ea70d8c735f7f7ca6b5c9e170cfa66fa0ca0b19153e80fefea8699b65ff162c60c7c88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d4f33b86e45f4ec3fa940ee2d4d66573

SHA1
eb1eeb3310f509e40eb3d50d4d02bb63bbf41a3f

SHA256
0ea797e2ae69ff2ff8b613f5ea3bfc7909302f0d186e4fd45a033893ab30d83c

SHA512
c3040efc8402d4bef06d16da108a4d34af5ca2cb84fc57d8a0a2991c81c816c2a6e25de2f683c916dada41c3facbe10145e073e49d248354fdf6a8dc3a227de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Filesize
32KB

MD5
66c8934a432cd78af68a16ca4070d5fa

SHA1
95b98f0e2eada2483af3528d7371b14a2556848c

SHA256
923675011fcd1da2156b15d9c1789bfad934ce822069cf237fa7ac1c9ffa71f3

SHA512
6d15ab2eb5e51a48cd4352a7820c29e8e7ff3bbbee998fb753e11ed7b463d0b8c4937bab8129b5277bbf7e867ce99c46e834f53e7e14b0c2438a89bb689428e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
d83fe8783df191aa388f578ab31c8604

SHA1
f4cfe08fd6c4c0b9fce2cbe808a8ff4dbefbbaf0

SHA256
0d772f3ce231cc77624132877c6bd0347769fd564050770a0a6cdbcf58de93e8

SHA512
c7d4d6e57969bbcb9af3c9cd2e40975d9d0035e9b39a55a845bbc721fd106f3c6fabda9fea6e63d21d00c67a6821f88096493e3eac1e2c895309cd82f78bb2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
11ac10e7b5b0e0b836a358d9b49f0b46

SHA1
3eef763269dd5c8a6292f5c431238b18d36ad9e3

SHA256
df3e11df27b5b674f2c7ecce0a5552c03740e109ba3b228985c3cbe91fcf2659

SHA512
6e574c39a55a7021e95a63c70af5d781a5d800fe275278313003b368a93887a1ccc445d794e63b621b5b84bf9fe1a4e066bb817497f6a8696f6646a4da7d5191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
67KB

MD5
23a0a67b9ae5ca1e6c97380d8648619a

SHA1
2fcb847e1d1e656578403b995ec0fd06ea30d04a

SHA256
9086737c1009d78d606a92f102b2bfdc8a77513f89e9954b4dbc57d2e042180d

SHA512
620cafa23267e23bbb2cb25024b04662d9c8420bfa3bb97ecefa7be5e0805638a882b4423bdb337036ccc4c20ec81395eef53c63acdc90eaaea7ff2c51e246f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
76KB

MD5
3ccae59957ef20444fa77dc5329b4a5f

SHA1
fba449106c96a1921f57200a4c3beac0283f4507

SHA256
024aca60528eb1f62303e6b69c8934a6ec59cb90af62b2fe85e342f6bcd5c148

SHA512
a9141d80d56312b136d8b61372d5589248599b7a00b2abd08c5e75610413fa0240dee24b4d5e17c41ed3fe596bbed096c50c3154a5d0087a28bab968e25af562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
76KB

MD5
a39317bdc839d8e30f4f21c430795dc2

SHA1
dbd4429080b7908ad66fb302bfa0ea65cdae8f31

SHA256
3debc6526d02045af5587e55d838c31bca0162b8ad5c8a1a5bc3d32bf50facb8

SHA512
02fc73d795960754b2aa46294d7e72179ca2d97c068df0f1bc3dff1bdaa5346e51ddb94d74d002b4d8027488f96d4808e4343da59fe9e0a34008ac3b682f5ba1

Download Submit
C:\Users\Admin\Downloads\Roblox cheat\SoftWare update.exe

Filesize
413KB

MD5
96f38c4ec487f995985369153a71e2ee

SHA1
1ad2132023cd5db07caa3b7be4184f1ec7540e45

SHA256
992bc4b4c46cb389636b08e39396144c41f6f6b3ae5bce8b690e46ef7c233367

SHA512
eaf2e2c61b259ce1e2db1ef5caa2af15459948fba72be2c91759f18c934f634bd889ddb504d9125ec1d3c6958145926464d5fd8611a3d1b2712f3e20814ae26e

Download Submit
C:\Users\Admin\Downloads\Roblox cheat\SoftWare.exe

Filesize
309KB

MD5
9fc39dbf000b5f3e86e13af3a9b77c76

SHA1
f8eada249c00a618a6ba4ab3d272fe776ca44d54

SHA256
02d0b2caf285ab043358a2ae582e6bcb282de781cfb46b0130f1fef36f6e9a71

SHA512
ca2dc554f7cc0fd29dd5cd782c5d872cfd4573a1988c605eed36dd419ce2f327ca305ce7d347b132b83659814d19f0ec1f247e8c8b7ee34e30b86b7f3987f76f

Download Submit
C:\Users\Admin\Downloads\Roblox cheat\settings\profile.settings

Filesize
102B

MD5
fca8f5239fc34cdec1b818187c45677e

SHA1
90928f3d1cca0586c1521e342deed9f0e66632c9

SHA256
a095c83dfcd9371e7aaee0561357199eaefd8b65111b694aa940d84ef42bd508

SHA512
ec212239d71e8c5623bb3acc97aea09831d7bc668c526504c046bb38d90988a3a0789d50cf0a11d9f415f4cbc9f5ca29e4be6dbc2bcb8d95c95b18e52b4cd9c3

Download Submit
memory/1280-227-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-219-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-226-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-218-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-224-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-230-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-225-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-220-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-228-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1280-229-0x00000256FD9E0000-0x00000256FD9E1000-memory.dmp

Filesize
4KB

Download
memory/1552-147-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1552-149-0x0000000003370000-0x0000000005370000-memory.dmp

Filesize
32.0MB

Download
memory/1552-139-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1552-140-0x0000000000EC0000-0x0000000000F14000-memory.dmp

Filesize
336KB

Download
memory/1552-199-0x0000000003370000-0x0000000005370000-memory.dmp

Filesize
32.0MB

Download
memory/2320-239-0x00000000031E0000-0x00000000051E0000-memory.dmp

Filesize
32.0MB

Download
memory/2320-240-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2320-234-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/2320-269-0x00000000031E0000-0x00000000051E0000-memory.dmp

Filesize
32.0MB

Download
memory/2788-217-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2788-213-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2788-216-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2788-215-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/3332-271-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3332-254-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/3332-253-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3332-252-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3332-247-0x0000000000F70000-0x0000000000FC0000-memory.dmp

Filesize
320KB

Download
memory/3860-241-0x0000000001140000-0x0000000001172000-memory.dmp

Filesize
200KB

Download
memory/3860-245-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3860-243-0x0000000001140000-0x0000000001172000-memory.dmp

Filesize
200KB

Download
memory/3860-244-0x0000000001140000-0x0000000001172000-memory.dmp

Filesize
200KB

Download
memory/3860-242-0x0000000001140000-0x0000000001172000-memory.dmp

Filesize
200KB

Download
memory/4044-169-0x0000000000B40000-0x0000000000B90000-memory.dmp

Filesize
320KB

Download
memory/4044-176-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/4044-173-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-174-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/4044-202-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-195-0x0000000007D90000-0x00000000082BC000-memory.dmp

Filesize
5.2MB

Download
memory/4044-194-0x0000000007690000-0x0000000007852000-memory.dmp

Filesize
1.8MB

Download
memory/4044-193-0x0000000007170000-0x00000000071C0000-memory.dmp

Filesize
320KB

Download
memory/4044-192-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/4044-182-0x00000000059E0000-0x0000000005A2C000-memory.dmp

Filesize
304KB

Download
memory/4044-181-0x00000000059A0000-0x00000000059DC000-memory.dmp

Filesize
240KB

Download
memory/4044-180-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/4044-179-0x0000000005A70000-0x0000000005B7A000-memory.dmp

Filesize
1.0MB

Download
memory/4044-178-0x0000000006900000-0x0000000006F18000-memory.dmp

Filesize
6.1MB

Download
memory/4044-177-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/4044-175-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/4576-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4576-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4576-150-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4576-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4668-207-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4668-212-0x0000000003050000-0x0000000005050000-memory.dmp

Filesize
32.0MB

Download
memory/4668-214-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/5588-264-0x0000000003030000-0x0000000005030000-memory.dmp

Filesize
32.0MB

Download
memory/5588-263-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/5588-256-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/5784-267-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5784-266-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5784-265-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5784-268-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download