lumma | 18c5deaf2c328bb86d5296afc5ec288b86cf11483fcb3266e1e7dace7fa986bf

Analysis

max time kernel
25s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

667.6MB
MD5

7cc20058012097efa4abde90287e38f4
SHA1

82f54527ff8cd2695dc391f39978dee0192b3080
SHA256

18aca5c964d48dc9d8cdcd4a4a7a4be5fba19f72c5aa94d2090e84dbad4ea38b
SHA512

c208d3e6fc5a0fb3b10cc8ebd69976bda8e3b2cb49debd425b1b19e49afd78795772c1c085dbd8f2e5836340bcf9ee2ef941d99e114bec7726062178a6dcd856
SSDEEP

196608:kpHkUgQgnjoklXR4R4rwEH5OTSFG+OIvcW/rBXBFIoioPPPEdAL6M6:kpHkUAckl6qPHcSBXBFOAUdk6P

Score

10^/10

lumma evasion persistence stealer themida trojan

Malware Config

Extracted

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4580 created 2712 4580 svchost.exe Y1TIHdrjxCJ6NsoGpldc.exe

description	pid	process	target process
PID 4580 created 2712	4580	svchost.exe	Y1TIHdrjxCJ6NsoGpldc.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RA5ftxMmABtT9PhOTUVi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aida64.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aida64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aida64.exe

Executes dropped EXE 3 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exeY1TIHdrjxCJ6NsoGpldc.exeaida64.exe

pid process

1460 RA5ftxMmABtT9PhOTUVi.exe
2712 Y1TIHdrjxCJ6NsoGpldc.exe
4440 aida64.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe	themida
behavioral2/memory/1460-4-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp	themida
behavioral2/memory/1460-6-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp	themida
behavioral2/memory/1460-8-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp	themida
behavioral2/memory/1460-7-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp	themida
behavioral2/memory/1460-279-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp	themida
C:\ProgramData\AIDA64\aida64.exe	themida
behavioral2/memory/4440-317-0x00007FF629590000-0x00007FF62A827000-memory.dmp	themida
C:\ProgramData\AIDA64\aida64.exe	themida
behavioral2/memory/4440-415-0x00007FF629590000-0x00007FF62A827000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aida64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

44 pastebin.com
45 pastebin.com

flow	ioc
44	pastebin.com
45	pastebin.com

Drops file in System32 directory 3 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	RA5ftxMmABtT9PhOTUVi.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exeY1TIHdrjxCJ6NsoGpldc.exe

description	pid	process	target process
PID 1460 set thread context of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2712 set thread context of 3680	2712	Y1TIHdrjxCJ6NsoGpldc.exe	RegAsm.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4928 sc.exe
3048 sc.exe
460 sc.exe
2184 sc.exe
3488 sc.exe
2284 sc.exe
460 sc.exe
1520 sc.exe
2964 sc.exe
3352 sc.exe
4100 sc.exe
2908 sc.exe
3008 sc.exe
2252 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4364 2712 WerFault.exe Y1TIHdrjxCJ6NsoGpldc.exe

pid	process
4928	sc.exe
3048	sc.exe
460	sc.exe
2184	sc.exe
3488	sc.exe
2284	sc.exe
460	sc.exe
1520	sc.exe
2964	sc.exe
3352	sc.exe
4100	sc.exe
2908	sc.exe
3008	sc.exe
2252	sc.exe

pid	pid_target	process	target process
4364	2712	WerFault.exe	Y1TIHdrjxCJ6NsoGpldc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exepowershell.exedialer.exesvchost.exe

pid	process
1460	RA5ftxMmABtT9PhOTUVi.exe
2728	powershell.exe
2728	powershell.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
452	dialer.exe
452	dialer.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
1460	RA5ftxMmABtT9PhOTUVi.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
4580	svchost.exe
4580	svchost.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeRA5ftxMmABtT9PhOTUVi.exedialer.exedwm.exeExplorer.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1460	RA5ftxMmABtT9PhOTUVi.exe
Token: SeDebugPrivilege	452	dialer.exe
Token: SeShutdownPrivilege	340	dwm.exe
Token: SeCreatePagefilePrivilege	340	dwm.exe
Token: SeShutdownPrivilege	3444	Explorer.EXE
Token: SeCreatePagefilePrivilege	3444	Explorer.EXE
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.execmd.exeRA5ftxMmABtT9PhOTUVi.exedialer.exe

description	pid	process	target process
PID 1168 wrote to memory of 1460	1168	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 1168 wrote to memory of 1460	1168	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 3076 wrote to memory of 1672	3076	cmd.exe	wusa.exe
PID 3076 wrote to memory of 1672	3076	cmd.exe	wusa.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1460 wrote to memory of 452	1460	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 452 wrote to memory of 620	452	dialer.exe	winlogon.exe
PID 452 wrote to memory of 680	452	dialer.exe	lsass.exe
PID 452 wrote to memory of 960	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 340	452	dialer.exe	dwm.exe
PID 452 wrote to memory of 396	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 596	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1052	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1072	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1080	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1196	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1228	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1252	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1312	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1328	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1464	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1492	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1508	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1620	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1636	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1684	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1724	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1764	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1836	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1844	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1908	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1928	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 1380	452	dialer.exe	spoolsv.exe
PID 452 wrote to memory of 2056	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2220	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2320	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2328	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2340	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2448	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2556	452	dialer.exe	sysmon.exe
PID 452 wrote to memory of 2564	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2600	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2608	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2664	452	dialer.exe	sihost.exe
PID 452 wrote to memory of 2720	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 2872	452	dialer.exe	taskhostw.exe
PID 452 wrote to memory of 3060	452	dialer.exe	unsecapp.exe
PID 452 wrote to memory of 2592	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 3340	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 3444	452	dialer.exe	Explorer.EXE
PID 452 wrote to memory of 3576	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 3760	452	dialer.exe	DllHost.exe
PID 452 wrote to memory of 3936	452	dialer.exe	RuntimeBroker.exe
PID 452 wrote to memory of 3932	452	dialer.exe	RuntimeBroker.exe
PID 452 wrote to memory of 4684	452	dialer.exe	SppExtComObj.exe
PID 452 wrote to memory of 4756	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 4448	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 3660	452	dialer.exe	svchost.exe
PID 452 wrote to memory of 4872	452	dialer.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:340

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1052
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1312
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1928

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2448

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2720

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1672
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2908
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:460
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3008
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2252
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:452
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "AIDA64"
      4⤵
      Launches sc.exe
      PID:2184
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "AIDA64" binpath= "C:\ProgramData\AIDA64\aida64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1520
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1504
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "AIDA64"
      4⤵
      Launches sc.exe
      PID:3488
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe"
      4⤵
      PID:4292
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1856
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1604
- - C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 352
      4⤵
      Program crash
      PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4456

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2712 -ip 2712
  2⤵
  PID:2784

C:\ProgramData\AIDA64\aida64.exe
C:\ProgramData\AIDA64\aida64.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4440
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1032
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:416
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2964
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:460
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4484
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5112
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AIDA64\aida64.exe

Filesize
635.9MB

MD5
66537bd215c8825b4b81121c2c4ae664

SHA1
4efacddd5aef32330b1ab9120167f61430409cde

SHA256
e194b0d76e53dd56c171334500a31077ffa728cfc820ed5e1bea2fe102ad1944

SHA512
d3da83df32f265648e038c346de4dcb47a2494f0b641b2b0079971548e66a542fccaffb33e4359644196d823b5819aeed831d3fcf10922af08b837ac5436ffa1

Download Submit
C:\ProgramData\AIDA64\aida64.exe

Filesize
619.0MB

MD5
482a379219c645bfc12aa09a872e0782

SHA1
79f8e201fcc684bcaa957f0fb6ade7dff97c759e

SHA256
a317e2310cdfee4260dd7728a6c0af8655128894ec99b6b8a79f5144e4794c04

SHA512
9b5a194739546dcda63e9eb40a2bfcedeaaad7878df9db283fac03914ef80a5f5ffac22384788062a1f10d283cd97752976a588ebbe69f41cbc366c16849a174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0y4q3rcg.l0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
667.6MB

MD5
5210d0754d16922067d4f3b7292ee6a2

SHA1
9ebe2ac688af39c1977e429f86409718e8f09a3c

SHA256
c24e5587afdea08781a98be4b013bb927065b3e30848a9e55190aa8567be07ec

SHA512
974d82f3bf77be30b775c5dd58eff97ef7507070e765d9cf254569cd935b564455b54c5ed30525d9ea3050bb3e72419c0f897834978eef4990fb399d7a4b0370

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
641.0MB

MD5
d0ee19ce1f66c5a3d31ad3dd31150f8f

SHA1
4cd012c07ebb0c4a20b45c37f73c8242fd959b51

SHA256
1a8e77bd73738c23118bc0b025cd5d590772a870db1f81fd530c3b15bc434b4f

SHA512
acc8e1c883466e2e8cfcb49708b8f06f2e43fdd384dde1a7563173feecc05049ee7d83e03f2fb8a44d29d4e66d85a250b0c2569583ca921df9288c560b35cfb1

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
638.1MB

MD5
c9f44de20e1048f9cfd3d79d12d0bac4

SHA1
96689aef2e0bf1a23562f188ffb136c70d4e30e7

SHA256
69299db6c72044dd4066ba9891b348cc0102631c40a25a61b25859750915eca3

SHA512
e300eadcfd8e3a530f7c6dd20499dbd4d415877712d5cffa52760cd47bdc6c307955e8ef51480473cca0e66001543f8bfabddbab745736143d5a6372c55fcb8d

Download Submit
memory/340-46-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/340-45-0x0000024B89A40000-0x0000024B89A6B000-memory.dmp

Filesize
172KB

Download
memory/396-52-0x000001FD86460000-0x000001FD8648B000-memory.dmp

Filesize
172KB

Download
memory/396-53-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/452-30-0x00007FFA58E50000-0x00007FFA59045000-memory.dmp

Filesize
2.0MB

Download
memory/452-26-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/452-27-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/452-31-0x00007FFA57C20000-0x00007FFA57CDE000-memory.dmp

Filesize
760KB

Download
memory/452-29-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/452-32-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/452-25-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/452-24-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/596-60-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/596-59-0x000001351D260000-0x000001351D28B000-memory.dmp

Filesize
172KB

Download
memory/620-36-0x00000208972E0000-0x000002089730B000-memory.dmp

Filesize
172KB

Download
memory/620-37-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/620-35-0x00000208972B0000-0x00000208972D4000-memory.dmp

Filesize
144KB

Download
memory/680-43-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/680-42-0x000001F18B240000-0x000001F18B26B000-memory.dmp

Filesize
172KB

Download
memory/960-48-0x000001E2235C0000-0x000001E2235EB000-memory.dmp

Filesize
172KB

Download
memory/960-49-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/1052-63-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/1052-62-0x000001D77DDC0000-0x000001D77DDEB000-memory.dmp

Filesize
172KB

Download
memory/1072-66-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/1072-65-0x00000282B4F70000-0x00000282B4F9B000-memory.dmp

Filesize
172KB

Download
memory/1080-69-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/1080-68-0x0000020832490000-0x00000208324BB000-memory.dmp

Filesize
172KB

Download
memory/1196-73-0x00007FFA18ED0000-0x00007FFA18EE0000-memory.dmp

Filesize
64KB

Download
memory/1196-72-0x0000026232480000-0x00000262324AB000-memory.dmp

Filesize
172KB

Download
memory/1460-7-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp

Filesize
18.6MB

Download
memory/1460-4-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp

Filesize
18.6MB

Download
memory/1460-6-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp

Filesize
18.6MB

Download
memory/1460-279-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp

Filesize
18.6MB

Download
memory/1460-8-0x00007FF7D5760000-0x00007FF7D69F7000-memory.dmp

Filesize
18.6MB

Download
memory/1572-359-0x00000251757D0000-0x00000251757DA000-memory.dmp

Filesize
40KB

Download
memory/1572-358-0x00000251757F0000-0x000002517580C000-memory.dmp

Filesize
112KB

Download
memory/1572-363-0x0000025175820000-0x000002517582A000-memory.dmp

Filesize
40KB

Download
memory/1572-362-0x0000025175810000-0x0000025175816000-memory.dmp

Filesize
24KB

Download
memory/1572-361-0x00000251757E0000-0x00000251757E8000-memory.dmp

Filesize
32KB

Download
memory/1572-360-0x0000025175830000-0x000002517584A000-memory.dmp

Filesize
104KB

Download
memory/1572-355-0x00000251755A0000-0x00000251755BC000-memory.dmp

Filesize
112KB

Download
memory/1572-356-0x00000251755C0000-0x0000025175675000-memory.dmp

Filesize
724KB

Download
memory/1572-357-0x0000025175680000-0x000002517568A000-memory.dmp

Filesize
40KB

Download
memory/2728-19-0x00007FFA3A6E0000-0x00007FFA3B1A1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-23-0x00007FFA3A6E0000-0x00007FFA3B1A1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-18-0x0000018A47650000-0x0000018A47672000-memory.dmp

Filesize
136KB

Download
memory/2728-21-0x0000018A2CF50000-0x0000018A2CF60000-memory.dmp

Filesize
64KB

Download
memory/2728-20-0x0000018A2CF50000-0x0000018A2CF60000-memory.dmp

Filesize
64KB

Download
memory/4440-317-0x00007FF629590000-0x00007FF62A827000-memory.dmp

Filesize
18.6MB

Download
memory/4440-415-0x00007FF629590000-0x00007FF62A827000-memory.dmp

Filesize
18.6MB

Download