lumma | 5f28bb44e92716093cfd622e55e57d233036720a2f5de89e0851acc5735562e7

Analysis

max time kernel
124s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20241007-fr
resource tags

arch:x64arch:x86image:win10v2004-20241007-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
26-11-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

the tournament director version 3.1.1 crack.exe
Size

778.0MB
MD5

5946da8791ac74867041b8c0379f9fb7
SHA1

76da237fd15652c8143847b922c328174789df4a
SHA256

bcc3a6f639ebc32af1545031a90592a0ed55225032fceabde5f4bf1cabc38a85
SHA512

59b4e45a88f58fe945032675dbabec694a0f40648bb8e4e27b833dc3d7f09cdbcb2509530c94db216e528b68e16190bd9b17c57841f4db9ff5cb551e23fc306a
SSDEEP

393216:URyyQeEuQRZPJiFA1r2LuLH5icSWDFInCl:UBQeEuQRZPJiFYr2uLHsoFICl

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://river-stone.shop/api

Extracted

Family

lumma

https://river-stone.shop/api

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	the tournament director version 3.1.1 crack.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	Studying.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4244	tasklist.exe
3296	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IntroVessel	the tournament director version 3.1.1 crack.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	the tournament director version 3.1.1 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Studying.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1240	WINWORD.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771234566565501"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1240	WINWORD.EXE
1240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3980	Studying.com
3980	Studying.com
3980	Studying.com
3980	Studying.com
3980	Studying.com
3980	Studying.com
1732	msedge.exe
1732	msedge.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	tasklist.exe
Token: SeDebugPrivilege	3296	tasklist.exe
Token: SeDebugPrivilege	2592	taskmgr.exe
Token: SeSystemProfilePrivilege	2592	taskmgr.exe
Token: SeCreateGlobalPrivilege	2592	taskmgr.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3980	Studying.com
3980	Studying.com
3980	Studying.com
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3980	Studying.com
3980	Studying.com
3980	Studying.com
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe
2592	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1240	WINWORD.EXE
1240	WINWORD.EXE
1240	WINWORD.EXE
1240	WINWORD.EXE
1240	WINWORD.EXE
1240	WINWORD.EXE
1240	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 1868	3872	the tournament director version 3.1.1 crack.exe	88
PID 3872 wrote to memory of 1868	3872	the tournament director version 3.1.1 crack.exe	88
PID 3872 wrote to memory of 1868	3872	the tournament director version 3.1.1 crack.exe	88
PID 1868 wrote to memory of 4244	1868	cmd.exe	90
PID 1868 wrote to memory of 4244	1868	cmd.exe	90
PID 1868 wrote to memory of 4244	1868	cmd.exe	90
PID 1868 wrote to memory of 4032	1868	cmd.exe	91
PID 1868 wrote to memory of 4032	1868	cmd.exe	91
PID 1868 wrote to memory of 4032	1868	cmd.exe	91
PID 1868 wrote to memory of 3296	1868	cmd.exe	92
PID 1868 wrote to memory of 3296	1868	cmd.exe	92
PID 1868 wrote to memory of 3296	1868	cmd.exe	92
PID 1868 wrote to memory of 3048	1868	cmd.exe	93
PID 1868 wrote to memory of 3048	1868	cmd.exe	93
PID 1868 wrote to memory of 3048	1868	cmd.exe	93
PID 1868 wrote to memory of 392	1868	cmd.exe	94
PID 1868 wrote to memory of 392	1868	cmd.exe	94
PID 1868 wrote to memory of 392	1868	cmd.exe	94
PID 1868 wrote to memory of 1520	1868	cmd.exe	95
PID 1868 wrote to memory of 1520	1868	cmd.exe	95
PID 1868 wrote to memory of 1520	1868	cmd.exe	95
PID 1868 wrote to memory of 3980	1868	cmd.exe	98
PID 1868 wrote to memory of 3980	1868	cmd.exe	98
PID 1868 wrote to memory of 3980	1868	cmd.exe	98
PID 1868 wrote to memory of 4912	1868	cmd.exe	99
PID 1868 wrote to memory of 4912	1868	cmd.exe	99
PID 1868 wrote to memory of 4912	1868	cmd.exe	99
PID 2696 wrote to memory of 2476	2696	msedge.exe	122
PID 2696 wrote to memory of 2476	2696	msedge.exe	122
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124
PID 2696 wrote to memory of 620	2696	msedge.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\the tournament director version 3.1.1 crack.exe
"C:\Users\Admin\AppData\Local\Temp\the tournament director version 3.1.1 crack.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Ugly Ugly.cmd && Ugly.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4032
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 374235
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Deserve + ..\Himself + ..\Harry + ..\Tn + ..\Visited + ..\Carries + ..\Operating S
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\374235\Studying.com
    Studying.com S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3980
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb29c62cfh6861h4cdaha30dh6ab16b4bd191
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffec84646f8,0x7ffec8464708,0x7ffec8464718
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16862999065307078179,4601014290832450460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16862999065307078179,4601014290832450460,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16862999065307078179,4601014290832450460,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2552

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\PingResume.dotx" /o ""
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeca35cc40,0x7ffeca35cc4c,0x7ffeca35cc58
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2348,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3400,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5044,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4756,i,2912719038417394958,465156015828069830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e4acb36e2d556bfd0d7ebd60a35d50d5

SHA1
41f0856e01d3df82e2f8804c9cd6c8eb21eb63a1

SHA256
8070af4a57d755d908191cb6c94e0f0b54cef5417d05fab6c726dae556e6dc3f

SHA512
b0f7aa9a68eb51eb8bfa81fc466895dcfc84114cc1cf409ce6ed796bff3a3f2e6a302efc2d7903f27f175c8c1691c219385425ccdd5a31e573fc22c51bfcb66d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
99319dfc6f2a6b682b0532ced5464c93

SHA1
c4380b5db083dcee007f6d84b46c9b20e372b4ba

SHA256
9f5c8e907db00dbae0ca196e06490c7fc0b23c4328d959b13b5f37bad3ed49c6

SHA512
197a37308d57ba647c74118f41b90883960b4d5b49f2407b8022d18780ee76bef0ada2a6d0ee48b248dfcbcba5930af65752e22143eb0d776c47ddf20de46919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0ffb9aa612e80e88aa376ad6eb31fe76

SHA1
c65ced5c9aff39e12d4e4c2b8a7f15c503f2fff7

SHA256
b4200d86c32d2f4554d5c292b93b23930e09d0290dbb1343eba11bf8cce755cc

SHA512
ae4897b0d8998905d4fcc0daa97c93b380410756f519792d65d83e0e4b7d7cc33c2492519b9e848183680c0e851b93880aa6f2a66222ad1fdc4f2d9cdd8a0882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6662bcccf7be9fa5e3be444f64e2c335

SHA1
b276a6762bb537e43b5792b59c7be63cffa40039

SHA256
96bb490e0c676aa1eb435a13949f3789c8e4620cb02893a7a9285be6ad183db3

SHA512
d8c61bf18f48e802aea2530515c49f28a225ab76b7da65b42bcfae722a0a5ea92de0f8b9b89592dca2b015db708961a1c39dc1fcd348fa8098a762a44b9c04e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed741abd3c2bbab87c7a7794bbc25698

SHA1
4df8515e4607b27e1fed7c7d7f74ca27bf8db86f

SHA256
d09c2b004c5e19ce308bd9f827b1e3b8d5bad4d4b978a17c5629e164e7034832

SHA512
117a5d10c62a4c36cddded81c23d6e7360a46a73eb5a9b8c95865156a8e6a2a78766e2c95bc671f17d5ab591c7d1a1646b5e38de8c81ba46021e8767b7a4a725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b039c0ca5e805b1e4705c1b01e6eaab6

SHA1
7a709f8a5572b262297b8c2c85a5da2e45722b92

SHA256
df87747e46526c17bbd7ac46fba8d0e4458782532a616e9ae6e04211ebacc614

SHA512
a9b87880a64ebf4c7d4520582b907f3cf3bba6c10fa716830e98b2cd9bdcc783581e5c5d8d70ed43e3bfff748279b6391cce189115ac5ca7cd30c4950a02f954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a9e0cccbc323abe4f8b33e5e2935e1fe

SHA1
cd33b26237e7e3031a7567bf7e8814c8d2779144

SHA256
09c70d9ac3aadb21a08b1fa83d89a1fc2e8248400c4dff7d7c01d7e7a0bcd019

SHA512
fe6838abd21702405869d962636bee6960818dfc836fb7b4df7913602f713c4ab16b8423272a644c3c32075477ac34b59f2310fbfbdfae0820bf79e01bcabd56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
464a249479a25ae1455d9a0fe7508ec2

SHA1
094073b49b83c24030190737706cacf9eff42d03

SHA256
d8b069a13031e00d7d5d918265734ed5a133fd734188e237cfd688ce0d2614a1

SHA512
e3813279402c007e10c2fea6fc2459476561b9c014986a353db69f8f53bfa758b1fc97a1fd7211e82cae213f8cbaccb35a1c2902465fb51e5875b21c4a79b32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62c4eb51352b6fd2aa4bcc54a5712e96

SHA1
1b6307824f9c83b4768e42b1bba6a0a4f52e9d91

SHA256
024ff6866c9b6b64f7bfd78fe4ce159fe0eabf6dad7b3768624cb4b000686869

SHA512
1b9bb3ff449db784f7fbbe418de7c6a1a47579f002ac469981c48f8b89741727c8024c22b781b65df9e77c073ce9bd1f675a3c75d3f92c7ec598ad0fd4e1628a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c0951bd1113242660201f3d72a51c911

SHA1
e5269568080d3dae5f8ba03fc50ab6e78dccf443

SHA256
7c842c0585affb6bb64be4e2863c1d401a635e2b7f093f52757c1586aa098dbb

SHA512
05d04448cef3863238c887a44fbbb966ba5773fd4a6550fd230fe7210b4554ab0ec912b6cc1439b8af4bea36dee8978e5f6e7122c0e590a363d28b291162dfc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\374235\S

Filesize
487KB

MD5
8dc38c2acd88ae70c8d127d5b3d0327d

SHA1
fc4ca6618b18d37b20029bc23fa733f9c78d4ed3

SHA256
901a9cfd4e0bb20ec072c22976eaa2f52ecffefcb19510bf694e342a73d933b2

SHA512
d065e5e6acbd81019470cfa5b9ec9e0d3dfd7a4eb2dd7027c03d02eda30e9fad79e2cd9b1587234d34393f4360b59676ed79cdbc029eb9d1760a88e388a0b50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carries

Filesize
77KB

MD5
fee3c8a099f3cb0845e0031511f8e919

SHA1
22c02c22dff79d1e3f243441f70b671e5a62cc7d

SHA256
10b54e2ce0cecf5c2c79f717bed52571846901a820db5288cf9b836558611ed7

SHA512
63549969a250dc35ba0347ef09202258baa6ece0a30d52f61e28efb3183c2a7eb6f4c5d4087194319a6290f1fc494ee1be2366e3b550f2c67d044dbed0e2ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deserve

Filesize
86KB

MD5
b1a4c9712322955a287103fbf912188b

SHA1
4b7aeebe94fa0da609c319a35c2f40ad0ba88119

SHA256
23fd6a58021c4db5b8a1cbe0bcf4ddc16505c81b3e7cdbaff19e8c5b5f8e9cc9

SHA512
61aa611e656d98d5ad9ee78e08d5f442892d32351423e3f69afc3acaec0fda20b2528580737be5c6429231a9b6fdf9a73fe9299d8d3e02eb7fae6f5d968e9f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harry

Filesize
88KB

MD5
bff4242993a5411e579ed63808db0804

SHA1
8163adf1d7e3a37b4af255a440bd6d33af48d926

SHA256
255c988c2f3d0708514b5e42f81e2c385370e95eb8a00e1f49e5fa6e5772260b

SHA512
2bb9597514b1c1241f7bc965192de592685cbf22a352dc9acc8882a95c64ec50ce15ca876bba0ac56045c7380d98ce4c9e99612de050782e2317fd8df4a53e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Himself

Filesize
90KB

MD5
4568ec59b3e0d5ccb612a9dad9623609

SHA1
5ec75745d771ace428dcbe955a3064ad8e0c44de

SHA256
f743b936e3dfd033ec8b2650f326a6b41c182d7a3fd32a8bcc44c905fc2318f3

SHA512
315f2cc55e125cb04a39c46e8fe57a722286bc50de4711be5f5230acae991b21c41de1c60fea2ba7ad92a79c864cb10092c85020d2429e5e18127fe8054eb7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Operating

Filesize
9KB

MD5
c844a2c583994c66481507036a467e4d

SHA1
b783288afd1e7c470c5d2076e47ef66486badb96

SHA256
0b97bf7581b6acca8f7e4de3ff6d1d9f267fc8c5118cfd60a83705dba5c66ffa

SHA512
4172f0951865e4cd3891c8b141da64d0983e6569fd9fe27f9ca23e42523ddea02de17a060ac5425ae1f7efdeb3a28e0da83383c0ee41619b203e65c28fa1a0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tn

Filesize
77KB

MD5
d561fb89fc339a3c58c9cd9f1e840386

SHA1
153254ccb391e3ffaf64c13a0f893ad664c56fda

SHA256
15f8d5e80c2a00b3a0b6d2bdbef445be35ab2314161064d38516a55fbb1d8550

SHA512
f14f8679365279caea154234a19c3e341853c67e9ca37b045dbf995a3b7c569f574f104c8ad30c625eef70394dad8a4376bb40fcfe44f6bc7454ffd950790e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugly

Filesize
8KB

MD5
8f9fd4ec618f95477e36e8060d628be6

SHA1
f092ef81de21cc7d2a85abfad5254818903ee4be

SHA256
baa4c9cc5232482df00a7921a590582073fe5daddc4f9858832187fbbf6ff8ed

SHA512
873956ce7b4ba1864cdab4bb2c9483aca4eb8f5dbf920ce0e4d8220a63da2e1d1a836867c1d74f70f241b927d9139ca1a90c6712a6c906caf3939844165077a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visited

Filesize
60KB

MD5
76806751e9e33fc8c3be61abde709c3d

SHA1
236b7bdcc8d1eb33ec0fa3a363cc617ad42fb2b8

SHA256
c12eed90e27e048eed040efb93069a891ff8dbb7924f660b6ef32204682a80b6

SHA512
a5ab398cc915a2a2e608c84f2b94d810220dfa77040a2b1549a678852bf92fc327358b7e441631af225089ae4633ef5870898286464d179441a8546b2c65db32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wiki

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1240-289-0x00007FFEA6100000-0x00007FFEA6110000-memory.dmp

Filesize
64KB

Download
memory/1240-287-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-290-0x00007FFEA6100000-0x00007FFEA6110000-memory.dmp

Filesize
64KB

Download
memory/1240-322-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-321-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-323-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-324-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-288-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-285-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-286-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/1240-284-0x00007FFEA8590000-0x00007FFEA85A0000-memory.dmp

Filesize
64KB

Download
memory/2592-336-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-337-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-335-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-334-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-331-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-332-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-333-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-327-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-326-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/2592-325-0x00000233A32C0000-0x00000233A32C1000-memory.dmp

Filesize
4KB

Download
memory/3980-233-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download
memory/3980-232-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download
memory/3980-231-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download
memory/3980-229-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download
memory/3980-230-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download
memory/3980-228-0x0000000004DE0000-0x0000000004E3A000-memory.dmp

Filesize
360KB

Download