lumma | 984d530e78ec72391f217805e5e078cef1c4e15c156c12d60841dae8b2e5af87

Resubmissions

02/08/2024, 02:50

240802-db3vrs1hpj 10

02/08/2024, 02:47

240802-c9v25sweqe 10

Analysis

max time kernel
124s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

9.2MB
MD5

1cc167273eeaf450abb5e548edfabc89
SHA1

ca47da5cc86c31aea84a6b170bc948f1020abe89
SHA256

b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
SHA512

99969849910f81ea0a163562502db3837e1cd506524c408938c12952c10e50ff846604cf5a0774014e0a896ba7c571c969ac168fd38002414dd7a87ed86749d7
SSDEEP

196608:Fsd7F8Iox9opRvxDKokM7JQpBgKDQhN0F:Fsd2px4lwrM7ClQhNu

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://dividenntyss.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Extracted

Family

lumma

https://horizonvxjis.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	Setup.tmp

Executes dropped EXE 5 IoCs

pid	Process
4796	Setup.tmp
1196	Setup.tmp
916	ImPackr.exe
1628	ImPackr.exe
2088	StrCmp.exe

Loads dropped DLL 25 IoCs

pid	Process
4796	Setup.tmp
1196	Setup.tmp
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
916	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
3024	Hypnotism.pif

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
3820	tasklist.exe
2284	tasklist.exe
2884	tasklist.exe
4500	tasklist.exe
1596	tasklist.exe
1872	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 752	1628	ImPackr.exe	119
PID 752 set thread context of 3024	752	more.com	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3356	3024	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImPackr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImPackr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hypnotism.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4476	ping.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\ProtectLoad\\UBGDIWRRUYFBY"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ProtectLoad\\UBGDIWRRUYFBY\\StrCmp.exe"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4476	ping.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1196	Setup.tmp
1196	Setup.tmp
916	ImPackr.exe
1628	ImPackr.exe
1628	ImPackr.exe
752	more.com
752	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1628	ImPackr.exe
752	more.com
752	more.com

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	tasklist.exe
Token: SeDebugPrivilege	2884	tasklist.exe
Token: SeDebugPrivilege	4500	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	3820	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1196	Setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2088	StrCmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4796	4372	Setup.exe	86
PID 4372 wrote to memory of 4796	4372	Setup.exe	86
PID 4372 wrote to memory of 4796	4372	Setup.exe	86
PID 4796 wrote to memory of 1420	4796	Setup.tmp	87
PID 4796 wrote to memory of 1420	4796	Setup.tmp	87
PID 4796 wrote to memory of 1420	4796	Setup.tmp	87
PID 1420 wrote to memory of 1196	1420	Setup.exe	88
PID 1420 wrote to memory of 1196	1420	Setup.exe	88
PID 1420 wrote to memory of 1196	1420	Setup.exe	88
PID 1196 wrote to memory of 4476	1196	Setup.tmp	89
PID 1196 wrote to memory of 4476	1196	Setup.tmp	89
PID 1196 wrote to memory of 4408	1196	Setup.tmp	91
PID 1196 wrote to memory of 4408	1196	Setup.tmp	91
PID 4408 wrote to memory of 2284	4408	cmd.exe	93
PID 4408 wrote to memory of 2284	4408	cmd.exe	93
PID 4408 wrote to memory of 4864	4408	cmd.exe	94
PID 4408 wrote to memory of 4864	4408	cmd.exe	94
PID 1196 wrote to memory of 3888	1196	Setup.tmp	96
PID 1196 wrote to memory of 3888	1196	Setup.tmp	96
PID 3888 wrote to memory of 2884	3888	cmd.exe	98
PID 3888 wrote to memory of 2884	3888	cmd.exe	98
PID 3888 wrote to memory of 1716	3888	cmd.exe	99
PID 3888 wrote to memory of 1716	3888	cmd.exe	99
PID 1196 wrote to memory of 2992	1196	Setup.tmp	100
PID 1196 wrote to memory of 2992	1196	Setup.tmp	100
PID 2992 wrote to memory of 4500	2992	cmd.exe	102
PID 2992 wrote to memory of 4500	2992	cmd.exe	102
PID 2992 wrote to memory of 4156	2992	cmd.exe	103
PID 2992 wrote to memory of 4156	2992	cmd.exe	103
PID 1196 wrote to memory of 1632	1196	Setup.tmp	104
PID 1196 wrote to memory of 1632	1196	Setup.tmp	104
PID 1632 wrote to memory of 1596	1632	cmd.exe	106
PID 1632 wrote to memory of 1596	1632	cmd.exe	106
PID 1632 wrote to memory of 4312	1632	cmd.exe	107
PID 1632 wrote to memory of 4312	1632	cmd.exe	107
PID 1196 wrote to memory of 3548	1196	Setup.tmp	108
PID 1196 wrote to memory of 3548	1196	Setup.tmp	108
PID 3548 wrote to memory of 1872	3548	cmd.exe	110
PID 3548 wrote to memory of 1872	3548	cmd.exe	110
PID 3548 wrote to memory of 3400	3548	cmd.exe	111
PID 3548 wrote to memory of 3400	3548	cmd.exe	111
PID 1196 wrote to memory of 4896	1196	Setup.tmp	112
PID 1196 wrote to memory of 4896	1196	Setup.tmp	112
PID 4896 wrote to memory of 3820	4896	cmd.exe	114
PID 4896 wrote to memory of 3820	4896	cmd.exe	114
PID 4896 wrote to memory of 1564	4896	cmd.exe	115
PID 4896 wrote to memory of 1564	4896	cmd.exe	115
PID 1196 wrote to memory of 916	1196	Setup.tmp	116
PID 1196 wrote to memory of 916	1196	Setup.tmp	116
PID 1196 wrote to memory of 916	1196	Setup.tmp	116
PID 916 wrote to memory of 1628	916	ImPackr.exe	117
PID 916 wrote to memory of 1628	916	ImPackr.exe	117
PID 916 wrote to memory of 1628	916	ImPackr.exe	117
PID 1628 wrote to memory of 2088	1628	ImPackr.exe	118
PID 1628 wrote to memory of 2088	1628	ImPackr.exe	118
PID 1628 wrote to memory of 2088	1628	ImPackr.exe	118
PID 1628 wrote to memory of 752	1628	ImPackr.exe	119
PID 1628 wrote to memory of 752	1628	ImPackr.exe	119
PID 1628 wrote to memory of 752	1628	ImPackr.exe	119
PID 1628 wrote to memory of 752	1628	ImPackr.exe	119
PID 752 wrote to memory of 3024	752	more.com	122
PID 752 wrote to memory of 3024	752	more.com	122
PID 752 wrote to memory of 3024	752	more.com	122
PID 752 wrote to memory of 3024	752	more.com	122

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\is-TFPL0.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TFPL0.tmp\Setup.tmp" /SL5="$90060,8764920,776192,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\is-NUSIH.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NUSIH.tmp\Setup.tmp" /SL5="$A0060,8764920,776192,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\system32\ping.exe
        
        "ping" -n 6 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4476
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:4864
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:1716
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:4156
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:4312
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:3400
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:1564
    - - C:\Users\Admin\AppData\Local\ptt\ImPackr.exe
        
        "C:\Users\Admin\AppData\Local\ptt\ImPackr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Users\Admin\AppData\Roaming\ProtectLoad\ImPackr.exe
        
        C:\Users\Admin\AppData\Roaming\ProtectLoad\ImPackr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\ProtectLoad\UBGDIWRRUYFBY\StrCmp.exe
        
        C:\Users\Admin\AppData\Roaming\ProtectLoad\UBGDIWRRUYFBY\StrCmp.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Hypnotism.pif
        
        C:\Users\Admin\AppData\Local\Temp\Hypnotism.pif
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1280
        9⤵
        Program crash
        
        PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3024 -ip 3024
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32caac80

Filesize
1.1MB

MD5
27a0b1d3b008b788f0c2663fdf246a32

SHA1
9917cc11f0d959b661e19d6884c41dd82424e183

SHA256
1a1c190ab149b9c0220ed44980b1f21cb0b97240899000e173d99d35acd7a971

SHA512
cde1bd25c5e3b281e301b2a775544c7dd87528c27cac29d7d2d658969e06a67b4cb359d80e46753ab8baf7b501f5ad81ddea4bc9efeaf32ea366bbc9ae10f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hypnotism.pif

Filesize
29KB

MD5
d0509de5ba78cdfb67f897b06d9d184d

SHA1
f3ea9fa41831739d38353167754c0bb5a9544001

SHA256
a5a7183977808efbaa1ca3e55776f09bcae8f30e2aa5b0520c9cd88cd0d4997d

SHA512
0cdfb02946e8450a057db69f3e4331adc2b1bffee2d6002ea2a1ba8b9964883dd71c6f5becd41c02a4a06fd84e20836348b56af3696ae21587a774ec75d9f2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQHSB.tmp\_isetup\_iscrypt.dll

Filesize
12KB

MD5
47cfd05fde4babe79530c7ea730f6dc0

SHA1
2c055fa81f19d6f024f1f3d5b2dd0d5fde51d87e

SHA256
4bb34fe74f86ab389763863ee395a93d73e2d9548c224819ec9055d7c8c4b480

SHA512
ece4b4268e0d346e438f6f59fe333f7b6f95e3287791c517ef477935704ad2788e544a877b39abf542cd90a23966302d44cf03fb71e95c4f84ea11e634b3cbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TFPL0.tmp\Setup.tmp

Filesize
3.0MB

MD5
0a8d31efde93f55df43e8a3cde98e8fa

SHA1
2df48a22c5cf85cad7cf320384ce5cea51f87cee

SHA256
794e4135015d6507846a072f81168eaf297c78dbe529e4cc94ddbb475b43d694

SHA512
ecca5f4883591481dad26daac8d8cae4e49644f86c2e3575c2fe3da9c567f75646ebda70bf23f600aa3570c8614093084773f88a29d58f8675cff44f83b438d0

Download Submit
C:\Users\Admin\AppData\Local\ptt\IMHttpComm.dll

Filesize
32KB

MD5
a70d91a9fd7b65baa0355ee559098bd8

SHA1
546127579c06ae0ae4f63f216da422065a859e2f

SHA256
96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a

SHA512
f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

Download Submit
C:\Users\Admin\AppData\Local\ptt\ImLookExU.dll

Filesize
262KB

MD5
c8a5c9f0824b7132a54764b719b4f436

SHA1
09a92930aff829fb8df9f2856d7e615c3f185b50

SHA256
34ba4b2ca63bbbf0c3be82787b11284d91b6050643c78e7d64d1d25544d72813

SHA512
3848311ca0dd357d02cc07496ff5e5cbc6792e9e3e57afb28998269db7207685a742aea2ecc2196f4c5dbbc255bc8c42451e4bbd69a48ea6b97935d938c33db6

Download Submit
C:\Users\Admin\AppData\Local\ptt\ImNtUtilU.dll

Filesize
94KB

MD5
bb326fe795e2c1c19cd79f320e169fd3

SHA1
1c1f2b8d98f01870455712e6eba26d77753adcac

SHA256
a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7

SHA512
a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

Download Submit
C:\Users\Admin\AppData\Local\ptt\ImPackr.exe

Filesize
102KB

MD5
2f779ac4318fd4990c828f60d16f2b17

SHA1
a188080158f8cdfe5050d6e828fb69e17ac0be19

SHA256
689951b03517f77b6c04bb57f604f50736dc1a86b87253b0dee73722d4520a11

SHA512
7f6dc79ab6db4615bb0c7b31d36cc8750373f9b7c199bfaa8e1eff9dbd6f0b790fe7e4c9dc86b62abb811d93e946e68ddc171701bddba423079447124ca6464c

Download Submit
C:\Users\Admin\AppData\Local\ptt\ImUtilsU.dll

Filesize
1.4MB

MD5
a7eaba8bc12b2b7ec2a41a4d9e45008a

SHA1
6a96a18bb4f1cd6196517713ed634f37f6b0362b

SHA256
914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a

SHA512
0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

Download Submit
C:\Users\Admin\AppData\Local\ptt\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
541423a06efdcd4e4554c719061f82cf

SHA1
2e12c6df7352c3ed3c61a45baf68eace1cc9546e

SHA256
17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5

SHA512
11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

Download Submit
C:\Users\Admin\AppData\Local\ptt\Microsoft.VC80.MFC.manifest

Filesize
2KB

MD5
97b859f11538bbe20f17dfb9c0979a1c

SHA1
2593ad721d7be3821fd0b40611a467db97be8547

SHA256
4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36

SHA512
905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

Download Submit
C:\Users\Admin\AppData\Local\ptt\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Users\Admin\AppData\Local\ptt\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Users\Admin\AppData\Local\ptt\tanh.pdf

Filesize
907KB

MD5
a2c4a4c8839fba9933013dd48d65857c

SHA1
a94ece2f5c6a95b974b9e456be0112c91d5e51b8

SHA256
17edad4451044460a570aa31cc5976ac8d4b5f5a0fb73548eb811c6d1b1e01b9

SHA512
860c036475b4a2ebff95fe4ea4fe8a3259e7777639e812d31167e4ec9f4447f1c15abef3b14776bec0305dcc0fa1db43cb2a376babdf6d6eb5e6d5e2c85e57a7

Download Submit
C:\Users\Admin\AppData\Local\ptt\wlessfp1.dll

Filesize
70KB

MD5
5120c44f241a12a3d5a3e87856477c13

SHA1
cd8a6ef728c48e17d570c8dc582ec49e17104f6d

SHA256
fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c

SHA512
67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\ImLookU.dll

Filesize
606KB

MD5
3ea6d805a18715f7368363dea3cd3f4c

SHA1
30ffafc1dd447172fa91404f07038d759c412464

SHA256
a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d

SHA512
a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\ImWrappU.dll

Filesize
158KB

MD5
cbf4827a5920a5f02c50f78ed46d0319

SHA1
b035770e9d9283c61f8f8bbc041e3add0197de7b

SHA256
7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce

SHA512
d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\SftTree_IX86_U_60.dll

Filesize
570KB

MD5
57bf106e5ec51b703b83b69a402dc39f

SHA1
bd4cfab7c50318607326504cc877c0bc84ef56ef

SHA256
24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671

SHA512
8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\UBGDIWRRUYFBY\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\mfc80u.dll

Filesize
1.0MB

MD5
ccc2e312486ae6b80970211da472268b

SHA1
025b52ff11627760f7006510e9a521b554230fee

SHA256
18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

SHA512
d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectLoad\pegmatite.mp4

Filesize
28KB

MD5
c16bdb0036083aba512460a356e5fc84

SHA1
20dbacf9718f981b1e3b21980662a3e634cf39a8

SHA256
b18318487981c68e812f3ac0adb5eb39c019d66da83e2ba15084ad8e836f9bbf

SHA512
ed55801bbb73fa8ddffe6f0b67d8f4beea4e8f3503c7e93845573c4589af41e7a489f8b67fe8073be0378719fd96d66b6773cd0ed2703f4167e7824fa7b58071

Download Submit
memory/752-169-0x00007FFFF2750000-0x00007FFFF2945000-memory.dmp

Filesize
2.0MB

Download
memory/752-171-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/916-107-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/916-108-0x00007FFFF2750000-0x00007FFFF2945000-memory.dmp

Filesize
2.0MB

Download
memory/916-98-0x0000000000A20000-0x0000000000AAE000-memory.dmp

Filesize
568KB

Download
memory/1196-101-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/1420-106-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1420-16-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1420-13-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1628-159-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/1628-156-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/1628-157-0x00007FFFF2750000-0x00007FFFF2945000-memory.dmp

Filesize
2.0MB

Download
memory/1628-151-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1628-165-0x0000000075080000-0x00000000751FB000-memory.dmp

Filesize
1.5MB

Download
memory/3024-180-0x0000000000500000-0x000000000056D000-memory.dmp

Filesize
436KB

Download
memory/3024-179-0x0000000000500000-0x000000000056D000-memory.dmp

Filesize
436KB

Download
memory/3024-178-0x0000000000500000-0x000000000056D000-memory.dmp

Filesize
436KB

Download
memory/3024-177-0x00007FFFF2750000-0x00007FFFF2945000-memory.dmp

Filesize
2.0MB

Download
memory/3024-174-0x0000000073E20000-0x0000000075074000-memory.dmp

Filesize
18.3MB

Download
memory/4372-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4372-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4372-19-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4796-6-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download
memory/4796-17-0x0000000000400000-0x0000000000706000-memory.dmp

Filesize
3.0MB

Download