lumma | 4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bf

Analysis

max time kernel
94s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe
Size

4.3MB
MD5

276c5a9ce873e350d510b51a4c2708d0
SHA1

f63d3c07bfd5153caa6083c2fe39f18e66b0756e
SHA256

4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bf
SHA512

78728dd9a8a3ddeb675b55c9c8c7e1b3fc50a16661e13c2e1807474787e4b160157b7ac576814419cab3e72ffa59687e6c9819075a861950ecaff2350ca1e4d2
SSDEEP

98304:uwNkC+KwfGVjtznZCFQIGhsgvbNcj2lAz2hwOp:uw2C+K4G9tDSTGhs6NckAziw

Score

10^/10

lumma stealc tale credential_access discovery evasion persistence spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

lumma

https://navygenerayk.store/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2x9161.exe3z88H.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2x9161.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3z88H.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2x9161.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3z88H.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2x9161.exe3z88H.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2x9161.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2x9161.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3z88H.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3z88H.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

3z88H.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 3z88H.exe
Executes dropped EXE 4 IoCs

Processes:

r8r50.exe1h63Q9.exe2x9161.exe3z88H.exe

pid process

724 r8r50.exe
1868 1h63Q9.exe
764 2x9161.exe
4856 3z88H.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3z88H.exe

pid	process
724	r8r50.exe
1868	1h63Q9.exe
764	2x9161.exe
4856	3z88H.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2x9161.exe3z88H.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	2x9161.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	3z88H.exe

Loads dropped DLL 1 IoCs

Processes:

3z88H.exe

pid process

4856 3z88H.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
4856	3z88H.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exer8r50.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	r8r50.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1h63Q9.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2x9161.exe3z88H.exe

pid process

764 2x9161.exe
4856 3z88H.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
764	2x9161.exe
4856	3z88H.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exe2x9161.exe3z88H.exetimeout.exe1h63Q9.exetaskkill.exetaskkill.exetaskkill.execmd.exe4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exer8r50.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2x9161.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3z88H.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1h63Q9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r8r50.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe3z88H.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3z88H.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3z88H.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5248 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2576 taskkill.exe
2412 taskkill.exe
2608 taskkill.exe
4272 taskkill.exe
1736 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

1h63Q9.exe2x9161.exe3z88H.exe

pid process

1868 1h63Q9.exe
1868 1h63Q9.exe
1868 1h63Q9.exe
1868 1h63Q9.exe
764 2x9161.exe
764 2x9161.exe
4856 3z88H.exe
4856 3z88H.exe
4856 3z88H.exe
4856 3z88H.exe

pid	process
5248	timeout.exe

pid	process
2576	taskkill.exe
2412	taskkill.exe
2608	taskkill.exe
4272	taskkill.exe
1736	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	5072	firefox.exe
Token: SeDebugPrivilege	5072	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

1h63Q9.exefirefox.exe

pid	process
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

1h63Q9.exefirefox.exe

pid	process
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
5072	firefox.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe
1868	1h63Q9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

5072 firefox.exe

pid	process
5072	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exer8r50.exe1h63Q9.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4872 wrote to memory of 724	4872	4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe	r8r50.exe
PID 4872 wrote to memory of 724	4872	4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe	r8r50.exe
PID 4872 wrote to memory of 724	4872	4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe	r8r50.exe
PID 724 wrote to memory of 1868	724	r8r50.exe	1h63Q9.exe
PID 724 wrote to memory of 1868	724	r8r50.exe	1h63Q9.exe
PID 724 wrote to memory of 1868	724	r8r50.exe	1h63Q9.exe
PID 1868 wrote to memory of 1736	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 1736	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 1736	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2576	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2576	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2576	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2412	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2412	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2412	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2608	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2608	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 2608	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 4272	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 4272	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 4272	1868	1h63Q9.exe	taskkill.exe
PID 1868 wrote to memory of 3948	1868	1h63Q9.exe	firefox.exe
PID 1868 wrote to memory of 3948	1868	1h63Q9.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 3948 wrote to memory of 5072	3948	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe
PID 5072 wrote to memory of 2808	5072	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe
"C:\Users\Admin\AppData\Local\Temp\4ce3d4f84065410eb768f725bbcaeebb0dd90a040428c60427287bc8418e42bfN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r8r50.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r8r50.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1h63Q9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1h63Q9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ee25b47-10bd-4cb4-85b6-2e710bdbe390} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" gpu
        6⤵
        
        PID:2808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7febcbd9-0f51-4663-b962-c564a8890553} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" socket
        6⤵
        
        PID:4420
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c44effb-3211-4308-b3de-bde305f09ef3} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" tab
        6⤵
        
        PID:2584
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {947de677-f6f6-47b1-b0cb-8bb6f4ba027f} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" tab
        6⤵
        
        PID:4540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4872 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abb0a084-32ff-4b2f-b8b5-ac1d77462e06} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" utility
        6⤵
        Checks processor information in registry
        
        PID:5784
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5128 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2378a249-2cc0-489c-b522-53abc72d2496} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" tab
        6⤵
        
        PID:7136
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60d8ced8-91f0-4418-952e-d005a9795c9f} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" tab
        6⤵
        
        PID:7160
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5896 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15baac26-c9f5-41b4-943b-27162627f641} 5072 "\\.\pipe\gecko-crash-server-pipe.5072" tab
        6⤵
        
        PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x9161.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x9161.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z88H.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z88H.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z88H.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99

Filesize
13KB

MD5
6e2c03235078dacefe8c76a6f951256e

SHA1
5fa316d0fc5d67a2cfc33e7ed6387e18c8ca2c2d

SHA256
577595a425459072a25905c010b3a50c6e0c46050c2f1c9eeda63d830e6ffa15

SHA512
15098e4d74e6dbf4663a2348a5b59f7db17038cbcbd8935d1345e5612ce3c840461ff00d53a17bfdeaa8146113907705a1cd6f572864a1d2e09a6d1b26731432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3z88H.exe

Filesize
2.1MB

MD5
47bd0f65bdd541918d45ecddc51e18b3

SHA1
1f3dd28e412bd2875f15d4c6df882feac5268b04

SHA256
7b01c8a4a7c7efa68631acb7979c62672b51cdd464ec181564db8578f0a26187

SHA512
e2853fe2bb2edcef933e57ccca76c234e8115c630598bdf6af0c6dea32c01d90d0ad83122b72b1daf620eef4bf946e0b0295536afae9c097a03828f3149f9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r8r50.exe

Filesize
2.1MB

MD5
b87a9c5e791eb603b5068bb6ff1b9329

SHA1
44cb340d355550afa38fcd5fb2e604867d7a3600

SHA256
ab91798e2dc27bc6b7c2de71baef95425eea6debe20279999f4e383f0d364d91

SHA512
0498b8e463547ca40ce27fd8c8dfedb9daa5c210c79c9d890d43b6879ab7ab87b7f34867bacce56ba336dc9ba6caa0897c2857ae15338e608f9a1e0210999a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1h63Q9.exe

Filesize
898KB

MD5
63c52a607ea507c5989508b46c0aa5f4

SHA1
199a272afe1a446de3bdf11a6d4f773172a2115f

SHA256
169f50fff333fb5859f294d69711bb2d0542d3538b12fa1df3e9161addb547b4

SHA512
a50969b6390241e6463938e6d44e200760b78c02564a0796847eff0dddc48a67cc7a2839731050ad79bd6c3a33f4f942e0431c4aa0036df02f58cf44de612e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2x9161.exe

Filesize
3.0MB

MD5
984c35eea09867a632cc39215473e64b

SHA1
0e40d8f2c73ecf63b22b17d354b5e5db3e2a4d56

SHA256
c15e8cd396ce1117ba0d773c8494667cfea420e7f5bb28f17901f7f9d3f93897

SHA512
4b620162a7c8a021e60d707177497e57fa9efef23190d519a45896987b91eb4d2e36ac93bb5ce9a2fdebddb6cc0de9cfe8f435d6849a0d175340bc282782dea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
7dba58b4ab3ba26fe7398ef686ab139e

SHA1
402cd95676d732960d4f4ad0dd10883a59f90eab

SHA256
929dad09841c6c53dcce923299fa0e005d95cc8ae525da28aa99bd41aeba43c9

SHA512
280d5798cf1147726df9d7271abbd6a321883651d945d39bdaf08fda12b7985f88e4252a9353463983c435cfc7ae7d0b639c52502383f92e3bcbf697f6103a08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
8KB

MD5
8b67724b445a17bbbd4a4357c3afbc36

SHA1
7b95dfb01cc8b6d9ea7dff6c5ddde1e7da2586c4

SHA256
fde5e02a26f163c245571adb21c4ca171c6fc57da6d052ec35da71ac70528fb0

SHA512
e6c7e50029432eb4feb64695675d6e43bc08e13ebdb7efba0cee66a203cc3722f9a6f9576fb8d744154e6b79f4a9049d5268ecb883ea138faae075207de435b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
24KB

MD5
aff942bf65150ed1685f015ac0d0415c

SHA1
aebdd850a36277c203f60e76a816c86c9a616e4c

SHA256
2f368b2afdce33f0c665d2a19e86c0ae45942f8a858b5e8462b2c820d41bb222

SHA512
0160813200fb94abca4035aad4cb44bea81c6109180c47aaebafe36912c69deea905e071a2fa9e6a96d2a95ca5a91c919bcba84dac7fada43172035618089459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
15KB

MD5
dbedfc7f082dca4c06690536f9c84dcb

SHA1
e007369961a77af6593ea79aa5cad2bb3b37ed45

SHA256
4f0d2de7a9d1c798e1669aac159e65b90e13f68015d30ad66b2fd61dfcf5ae6e

SHA512
ab18746c4953a5b72934d5955096acbfa07d26f05160a6ee0a1d37342178cd642c1175c9b5c324b08067c60fa6ab1a37cf911154aef71ee1a819437eddd358d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin

Filesize
5KB

MD5
653efa9b9b07378d770f52bf69b944a9

SHA1
a93bfe6b90044876ddab6b266807cba638f503df

SHA256
63f924f9718a0aded7d35167bb5efa81a08364794edc7c6c0d2a2c9d3f611e1a

SHA512
b11b6b0915db65f8122622d1288527a4c4d01d77d96ddbbc453cc029307f7ad257fa9a2b537b9a632b87a0d92dc865f67121fcb822ed7a9167d48d2d441bd3cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3852bbd4f6034c5831024be9a6ee836b

SHA1
f52fde90f401228caa3992b492ad23ca7119d775

SHA256
2ab334b43ddf9df2f4be8ddbe6edf4d15ebde284e25195e043c07d82fa0d42c8

SHA512
4a4c0f1cafd46e28accf995ab1a852f03db56137fc9b38f5f42272968f7355b759400032edff2b5fdbcb95f5ac0391bf2dfc76f55503e0313eb2a5500fee3dc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
f64dd13bcfef9a59670da452fef0a7d8

SHA1
53d86f8e8c4638f9fa53d7245cf859fa8c28d8d5

SHA256
27e259aaec0e6205dc4662bac0aa5ccb681f61eb2e668505d250f4ec75bb6827

SHA512
00d20cb891e143990460b213a8d2aba9400c42fa5d7644833c22d2cc64f3f94533862a57baecced56807fa6a472cc858b927a3cace002ffdd909c8714554a5d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
67a43c76e62fc52239dc43bd931d8475

SHA1
536567b0de88aa4f907aa77bf32b45e512f080a5

SHA256
e528a35a023ceb9afc0c3b08239f78f2412793436652ed99184914be9bc80148

SHA512
4a3c53814c20a410d9cf756c4dc6653868059842ea33229462c14a441e2bff2079d1b8dc55a2e3ca90d04a683f83792a0c7d6c330135435a73915d0a93153d61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
9dd7ca56ac1d9869847ca6f4705ed04a

SHA1
2390c1dab34318d57e2aa1937828c669d007aced

SHA256
983eecc5591db5313196ea2b6cae93f88083dbd944c2ebc2b5e985e81f4209b8

SHA512
c44f133cdf7f95dda4a908c1bff3752bc76172147e84e877a3767dbd7ef8832406870795cd6c44ad8faba61f17f2433fa56ce1e06a2f1040146a4d02bcfd057a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\1b045e51-d5ea-4d0c-8c1d-aa23f438e1fd

Filesize
671B

MD5
2382a8cfa13bd2587c0a9e0f84a03375

SHA1
ad714444898b45e75ffcdd9d4be1996b4dc35d75

SHA256
bcbf5fa9d24c5b7509e545af113914c0826ee655a2f7803790909bea4dacf5e4

SHA512
3fc3a39a21054be95540fed1b78a67ddcc4ea0e0caab9e2d85e8c8411146a1d9605c31af8acae8bc8806b35a0f6a199ea62bb3506dae284b0f8a138007885cd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\5414901a-55ed-48ca-8ea3-cfc784bbebe0

Filesize
982B

MD5
9a4a915f1ff5ace1a7164f7e0106a5da

SHA1
a3772d7e65443e85bcc50cf432485c315dacf73d

SHA256
47809eb01495e7d1fbb88c41a062751f7bd5332a5f991d8a8c88ad927a48fc3e

SHA512
4e9d6275e1a0003ff15272e781eb91a8a5dacb45130b4bafdca29e8cc2bc58c34c37879ae6424371b6e97437f76f216d944dd3b9717f5f6d2dacd2c8444e2971

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\dc394c49-2c6c-42cc-b43d-57ea2da8502d

Filesize
26KB

MD5
8e828edb1fd36e931db1457bc039275f

SHA1
cb76fb15bdf6c951ae511da8a2d0162612ffede1

SHA256
20a6d5e4a03c731a1aa29c973f87cffcff715a2555b4896bf0fd279cc26bae0f

SHA512
a45909352237fad2bd844391bc5f319b95466e3e913ab0f48215480afba223028f1066330491abbd397ec8fbb919ed2c5717c7412b310e343f71429bd5e6915a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
12KB

MD5
4db07de22380e7f70c6ba2faffc435d5

SHA1
41b432110d8c6777ea41ec721419d4de05f93436

SHA256
a13f170dcde42290a5d80eebcfeb46a2359825ef10daa4538c6073e993c95756

SHA512
3704fbd0ba3b675197da9b630a123031534e8855782761e638cf07750fd3ab237ac712f224b48ddd962abe679b9066eeb3253426d605fe83a3eb69424d840089

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
15KB

MD5
8ebe15c6fe9a53dd53929d5d91535878

SHA1
bb628ddcade8ba522918a834005ddc841bd42f8d

SHA256
fb1f8ca5dac68e3b1b02f42955439ad0f13ecf622677a855015d8dae8e4fa6f3

SHA512
2599dfbd772a4b5af8eb2aa51531edb6794c2ce8c5c2499d41edab79a565d91582ff921cc300b5884376aa0fcf7f0fda7637b0d537339d166ec98f33bbac085e

Download Submit
memory/764-668-0x0000000000660000-0x000000000096C000-memory.dmp

Filesize
3.0MB

Download
memory/764-725-0x0000000000660000-0x000000000096C000-memory.dmp

Filesize
3.0MB

Download
memory/4856-745-0x0000000000DA0000-0x00000000014DB000-memory.dmp

Filesize
7.2MB

Download
memory/4856-731-0x0000000000DA0000-0x00000000014DB000-memory.dmp

Filesize
7.2MB

Download