umbral | a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c

Analysis

max time kernel
104s
max time network
75s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Cheat_by_DioZ.exe
Size

15.3MB
MD5

7e8d421582aacc3651a5f8ae391e4605
SHA1

0cff4ece5e75a5dc0c5e6076ad782ecf42ad7c16
SHA256

a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
SHA512

7eb24ed0bddb9a681c231c92c50b52015b09466262dbdf1c1e47219f4fe76cff9adf65860d2c03cf61e8d4e7aa7ee46a7a81464773c56a81fee4a2ebec8192f1
SSDEEP

196608:0KMurhe046YIw782LRg5lA7B+juGhgdKDW/vDhoOocQ4cfVqwc7Mzg:0hurhf4Qm8MR8gwRh+n/lvoPDc70

Score

10^/10

umbral evasion stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1143115606330200074/pyKgc8H0hMiolN7TnRv_a5UZxMEV9hMyMPcyMEE79xLCjkKRbFA2ce8qYJuxmfb_M-83

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/1936-122-0x0000000000400000-0x000000000135C000-memory.dmp	family_umbral
behavioral1/files/0x000800000001af8c-127.dat	family_umbral
behavioral1/files/0x000800000001af8c-174.dat	family_umbral
behavioral1/files/0x000800000001af8c-175.dat	family_umbral
behavioral1/memory/4176-178-0x0000027079910000-0x0000027079950000-memory.dmp	family_umbral

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2184 created 3192	2184	MS.exe	43
PID 2184 created 3192	2184	MS.exe	43
PID 2184 created 3192	2184	MS.exe	43
PID 2184 created 3192	2184	MS.exe	43
PID 2184 created 3192	2184	MS.exe	43

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	MS.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
4176	3S.exe
2184	MS.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2644	2184	MS.exe	87

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	smss.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4484	sc.exe
200	sc.exe
1724	sc.exe
3712	sc.exe
524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3000	656	WerFault.exe	1
2436	572	WerFault.exe	3
420	1004	WerFault.exe	27
444	3192	WerFault.exe	43
2156	3988	WerFault.exe	57
624	2252	WerFault.exe	52
2520	4212	WerFault.exe	54

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Cheat_by_DioZ.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2184	MS.exe
2184	MS.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2184	MS.exe
2644	dialer.exe
2644	dialer.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
2644	dialer.exe
2644	dialer.exe
2644	Process not Found
2644	Process not Found

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3548	Process not Found
3028	Process not Found
420	Process not Found
4424	Process not Found
4404	Process not Found
4144	Process not Found
204	Process not Found
1160	Process not Found
4176	Process not Found
4612	Process not Found
4340	Process not Found
4452	Process not Found
1076	Process not Found
4988	Process not Found
1592	Process not Found
4060	Process not Found
2796	Process not Found
4820	Process not Found
5048	Process not Found
4464	Process not Found
3384	Process not Found
3900	Process not Found
2120	Process not Found
928	Process not Found
4136	Process not Found
5064	Process not Found
3536	Process not Found
3344	Process not Found
4732	Process not Found
5060	Process not Found
4848	Process not Found
3568	Process not Found
3204	Process not Found
3084	Process not Found
3772	Process not Found
4740	Process not Found
2880	Process not Found
4208	Process not Found
5080	Process not Found
1828	Process not Found
1872	Process not Found
5008	Process not Found
4292	Process not Found
408	Process not Found
4168	Process not Found
8	Process not Found
4508	Process not Found
3348	Process not Found
4560	Process not Found
1612	Process not Found
2828	Process not Found
3520	Process not Found
32	Process not Found
3076	Process not Found
3712	Process not Found
3476	Process not Found
816	Process not Found
524	Process not Found
4300	Process not Found
1488	Process not Found
1812	Process not Found
3708	Process not Found
1332	Process not Found
4696	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	3S.exe
Token: SeIncreaseQuotaPrivilege	712	wmic.exe
Token: SeSecurityPrivilege	712	wmic.exe
Token: SeTakeOwnershipPrivilege	712	wmic.exe
Token: SeLoadDriverPrivilege	712	wmic.exe
Token: SeSystemProfilePrivilege	712	wmic.exe
Token: SeSystemtimePrivilege	712	wmic.exe
Token: SeProfSingleProcessPrivilege	712	wmic.exe
Token: SeIncBasePriorityPrivilege	712	wmic.exe
Token: SeCreatePagefilePrivilege	712	wmic.exe
Token: SeBackupPrivilege	712	wmic.exe
Token: SeRestorePrivilege	712	wmic.exe
Token: SeShutdownPrivilege	712	wmic.exe
Token: SeDebugPrivilege	712	wmic.exe
Token: SeSystemEnvironmentPrivilege	712	wmic.exe
Token: SeRemoteShutdownPrivilege	712	wmic.exe
Token: SeUndockPrivilege	712	wmic.exe
Token: SeManageVolumePrivilege	712	wmic.exe
Token: 33	712	wmic.exe
Token: 34	712	wmic.exe
Token: 35	712	wmic.exe
Token: 36	712	wmic.exe
Token: SeIncreaseQuotaPrivilege	712	wmic.exe
Token: SeSecurityPrivilege	712	wmic.exe
Token: SeTakeOwnershipPrivilege	712	wmic.exe
Token: SeLoadDriverPrivilege	712	wmic.exe
Token: SeSystemProfilePrivilege	712	wmic.exe
Token: SeSystemtimePrivilege	712	wmic.exe
Token: SeProfSingleProcessPrivilege	712	wmic.exe
Token: SeIncBasePriorityPrivilege	712	wmic.exe
Token: SeCreatePagefilePrivilege	712	wmic.exe
Token: SeBackupPrivilege	712	wmic.exe
Token: SeRestorePrivilege	712	wmic.exe
Token: SeShutdownPrivilege	712	wmic.exe
Token: SeDebugPrivilege	712	wmic.exe
Token: SeSystemEnvironmentPrivilege	712	wmic.exe
Token: SeRemoteShutdownPrivilege	712	wmic.exe
Token: SeUndockPrivilege	712	wmic.exe
Token: SeManageVolumePrivilege	712	wmic.exe
Token: 33	712	wmic.exe
Token: 34	712	wmic.exe
Token: 35	712	wmic.exe
Token: 36	712	wmic.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	powershell.exe
Token: SeSecurityPrivilege	4448	powershell.exe
Token: SeTakeOwnershipPrivilege	4448	powershell.exe
Token: SeLoadDriverPrivilege	4448	powershell.exe
Token: SeSystemProfilePrivilege	4448	powershell.exe
Token: SeSystemtimePrivilege	4448	powershell.exe
Token: SeProfSingleProcessPrivilege	4448	powershell.exe
Token: SeIncBasePriorityPrivilege	4448	powershell.exe
Token: SeCreatePagefilePrivilege	4448	powershell.exe
Token: SeBackupPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	4448	powershell.exe
Token: SeShutdownPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeSystemEnvironmentPrivilege	4448	powershell.exe
Token: SeRemoteShutdownPrivilege	4448	powershell.exe
Token: SeUndockPrivilege	4448	powershell.exe
Token: SeManageVolumePrivilege	4448	powershell.exe
Token: 33	4448	powershell.exe
Token: 34	4448	powershell.exe
Token: 35	4448	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4176	1936	Cheat_by_DioZ.exe	70
PID 1936 wrote to memory of 4176	1936	Cheat_by_DioZ.exe	70
PID 1936 wrote to memory of 2184	1936	Cheat_by_DioZ.exe	71
PID 1936 wrote to memory of 2184	1936	Cheat_by_DioZ.exe	71
PID 4176 wrote to memory of 712	4176	3S.exe	72
PID 4176 wrote to memory of 712	4176	3S.exe	72
PID 808 wrote to memory of 4484	808	cmd.exe	80
PID 808 wrote to memory of 4484	808	cmd.exe	80
PID 808 wrote to memory of 200	808	cmd.exe	81
PID 808 wrote to memory of 200	808	cmd.exe	81
PID 808 wrote to memory of 1724	808	cmd.exe	82
PID 808 wrote to memory of 1724	808	cmd.exe	82
PID 808 wrote to memory of 3712	808	cmd.exe	83
PID 808 wrote to memory of 3712	808	cmd.exe	83
PID 808 wrote to memory of 524	808	cmd.exe	84
PID 808 wrote to memory of 524	808	cmd.exe	84
PID 2184 wrote to memory of 2644	2184	MS.exe	87
PID 2068 wrote to memory of 360	2068	cmd.exe	90
PID 2068 wrote to memory of 360	2068	cmd.exe	90
PID 2068 wrote to memory of 3648	2068	cmd.exe	91
PID 2068 wrote to memory of 3648	2068	cmd.exe	91
PID 2068 wrote to memory of 4840	2068	cmd.exe	92
PID 2068 wrote to memory of 4840	2068	cmd.exe	92
PID 2068 wrote to memory of 4944	2068	cmd.exe	93
PID 2068 wrote to memory of 4944	2068	cmd.exe	93
PID 2644 wrote to memory of 572	2644	dialer.exe	3
PID 2644 wrote to memory of 656	2644	dialer.exe	1
PID 656 wrote to memory of 2448	656	lsass.exe	38
PID 2644 wrote to memory of 752	2644	dialer.exe	67
PID 656 wrote to memory of 2448	656	lsass.exe	38
PID 656 wrote to memory of 2448	656	lsass.exe	38
PID 2644 wrote to memory of 920	2644	dialer.exe	31
PID 2644 wrote to memory of 1004	2644	dialer.exe	27
PID 2644 wrote to memory of 388	2644	dialer.exe	19
PID 2644 wrote to memory of 504	2644	dialer.exe	10
PID 2644 wrote to memory of 396	2644	dialer.exe	11
PID 2644 wrote to memory of 1052	2644	dialer.exe	18
PID 2644 wrote to memory of 1120	2644	dialer.exe	13
PID 2644 wrote to memory of 1140	2644	dialer.exe	17
PID 2644 wrote to memory of 1164	2644	dialer.exe	14
PID 2644 wrote to memory of 1252	2644	dialer.exe	15
PID 2644 wrote to memory of 1260	2644	dialer.exe	16
PID 2644 wrote to memory of 1308	2644	dialer.exe	21
PID 2644 wrote to memory of 1412	2644	dialer.exe	20
PID 2644 wrote to memory of 1472	2644	dialer.exe	22
PID 2644 wrote to memory of 1528	2644	dialer.exe	23
PID 2644 wrote to memory of 1548	2644	dialer.exe	24
PID 2644 wrote to memory of 1568	2644	dialer.exe	25
PID 2644 wrote to memory of 1656	2644	dialer.exe	26
PID 2644 wrote to memory of 1700	2644	dialer.exe	28
PID 2644 wrote to memory of 1728	2644	dialer.exe	29
PID 2644 wrote to memory of 1736	2644	dialer.exe	30
PID 2644 wrote to memory of 1832	2644	dialer.exe	32
PID 2644 wrote to memory of 1852	2644	dialer.exe	33
PID 2644 wrote to memory of 1924	2644	dialer.exe	34
PID 2644 wrote to memory of 2012	2644	dialer.exe	65
PID 2644 wrote to memory of 2200	2644	dialer.exe	35
PID 2644 wrote to memory of 2220	2644	dialer.exe	64
PID 2644 wrote to memory of 2228	2644	dialer.exe	36
PID 1412 wrote to memory of 3520	1412	svchost.exe	159
PID 1412 wrote to memory of 3520	1412	svchost.exe	159
PID 2644 wrote to memory of 3520	2644	dialer.exe	159
PID 2644 wrote to memory of 2344	2644	dialer.exe	63
PID 2644 wrote to memory of 2396	2644	dialer.exe	37

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 656 -s 3364
  2⤵
  - Program crash
  PID:3000

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1004
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1004 -s 2084
    3⤵
    - Program crash
    PID:420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 572 -s 940
  2⤵
  - Program crash
  PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3520
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4020
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2504
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1020
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4516
- \??\c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1852

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2396

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\3S.exe
    "C:\Users\Admin\AppData\Local\Temp\3S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:712
- - C:\Users\Admin\AppData\Local\Temp\MS.exe
    "C:\Users\Admin\AppData\Local\Temp\MS.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4484
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:200
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1724
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3712
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:524
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3648
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4840
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4944
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cnxaozlt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1116
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3192 -s 912
  2⤵
  - Program crash
  PID:444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4532

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2252 -s 712
  2⤵
  - Program crash
  PID:624

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3988 -s 840
  2⤵
  - Program crash
  PID:2156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4212 -s 864
1⤵
- Program crash
PID:2520

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000148 00000080
1⤵
PID:3520

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c4 00000080
1⤵
PID:2504

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e8 00000080
1⤵
PID:2944

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 00000080
1⤵
PID:4116

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000007c 00000080
1⤵
- Drops file in Program Files directory
PID:2184

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000080
1⤵
PID:4212

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000080
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
899d77bf7dfbdde6edcb1f51a759f343

SHA1
8f7fb3a929f362b6cccc0a606d5098b07a30ae58

SHA256
c67a355c182aca884926cf2397ffab637a92a5cc4cd90cd61f77f56c26edf69b

SHA512
d393efe5776476fb444f87df95fd2dd5247a2e3b4881cf93f359a5bca617bca45702af83fb3e6e24e3b9a936a4a93499f929ed99e41a6b8e9e007f7339c67bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0qqtfzi.pcb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
8d346e67fe454926c9be4324ada55a7f

SHA1
b75f48371401e1a22f475ea5ebc212168cb3b6d6

SHA256
b0d81bc6e9ed18f4b19f3057d3c1b6ef65eaec17c7e27031a67c3220ee487c21

SHA512
e719a64ec49c0859d8611446a8ce9376d61ce9302bc78faa0f22dc6b775d3c0eb6aa5c293f8df8bf409861ae19f2ffa9e80e3a2cea6312f60aa70d3ae3e4181a

Download Submit
memory/328-591-0x000001A5010C0000-0x000001A5010E7000-memory.dmp

Filesize
156KB

Download
memory/388-341-0x000001FB485D0000-0x000001FB485F7000-memory.dmp

Filesize
156KB

Download
memory/388-346-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/388-355-0x000001FB485D0000-0x000001FB485F7000-memory.dmp

Filesize
156KB

Download
memory/396-363-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/396-373-0x000001EF29870000-0x000001EF29897000-memory.dmp

Filesize
156KB

Download
memory/396-357-0x000001EF29870000-0x000001EF29897000-memory.dmp

Filesize
156KB

Download
memory/504-347-0x00000250884A0000-0x00000250884C7000-memory.dmp

Filesize
156KB

Download
memory/504-352-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/504-361-0x00000250884A0000-0x00000250884C7000-memory.dmp

Filesize
156KB

Download
memory/572-317-0x00007FFB15295000-0x00007FFB15296000-memory.dmp

Filesize
4KB

Download
memory/572-392-0x0000026F46050000-0x0000026F46077000-memory.dmp

Filesize
156KB

Download
memory/572-311-0x0000026F46020000-0x0000026F46041000-memory.dmp

Filesize
132KB

Download
memory/572-316-0x0000026F46050000-0x0000026F46077000-memory.dmp

Filesize
156KB

Download
memory/656-320-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/656-324-0x0000027253D80000-0x0000027253DA7000-memory.dmp

Filesize
156KB

Download
memory/656-318-0x0000027253D80000-0x0000027253DA7000-memory.dmp

Filesize
156KB

Download
memory/656-321-0x00007FFB15295000-0x00007FFB15296000-memory.dmp

Filesize
4KB

Download
memory/752-338-0x0000025B4E930000-0x0000025B4E957000-memory.dmp

Filesize
156KB

Download
memory/752-334-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/752-329-0x0000025B4E930000-0x0000025B4E957000-memory.dmp

Filesize
156KB

Download
memory/920-330-0x000001FC1C550000-0x000001FC1C577000-memory.dmp

Filesize
156KB

Download
memory/920-335-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/920-345-0x000001FC1C550000-0x000001FC1C577000-memory.dmp

Filesize
156KB

Download
memory/1004-337-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1004-350-0x0000028F48B80000-0x0000028F48BA7000-memory.dmp

Filesize
156KB

Download
memory/1004-331-0x0000028F48B80000-0x0000028F48BA7000-memory.dmp

Filesize
156KB

Download
memory/1052-362-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1052-356-0x000001FAC7790000-0x000001FAC77B7000-memory.dmp

Filesize
156KB

Download
memory/1052-366-0x000001FAC7790000-0x000001FAC77B7000-memory.dmp

Filesize
156KB

Download
memory/1120-368-0x0000022FC5300000-0x0000022FC5327000-memory.dmp

Filesize
156KB

Download
memory/1120-520-0x0000022FC5300000-0x0000022FC5327000-memory.dmp

Filesize
156KB

Download
memory/1120-374-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1140-378-0x000002748D0D0000-0x000002748D0F7000-memory.dmp

Filesize
156KB

Download
memory/1140-375-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1140-369-0x000002748D0D0000-0x000002748D0F7000-memory.dmp

Filesize
156KB

Download
memory/1164-386-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1164-385-0x000001FF30290000-0x000001FF302B7000-memory.dmp

Filesize
156KB

Download
memory/1252-382-0x00000209D7480000-0x00000209D74A7000-memory.dmp

Filesize
156KB

Download
memory/1252-387-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1252-413-0x00000209D7480000-0x00000209D74A7000-memory.dmp

Filesize
156KB

Download
memory/1260-433-0x000001FFC46A0000-0x000001FFC46C7000-memory.dmp

Filesize
156KB

Download
memory/1260-388-0x000001FFC46A0000-0x000001FFC46C7000-memory.dmp

Filesize
156KB

Download
memory/1260-396-0x00007FFAD5280000-0x00007FFAD5290000-memory.dmp

Filesize
64KB

Download
memory/1308-500-0x0000016C0A8C0000-0x0000016C0A8E7000-memory.dmp

Filesize
156KB

Download
memory/1308-398-0x0000016C0A8C0000-0x0000016C0A8E7000-memory.dmp

Filesize
156KB

Download
memory/1412-508-0x0000027316BC0000-0x0000027316BE7000-memory.dmp

Filesize
156KB

Download
memory/1472-512-0x000001F9D6CD0000-0x000001F9D6CF7000-memory.dmp

Filesize
156KB

Download
memory/1528-517-0x00000207E3DA0000-0x00000207E3DC7000-memory.dmp

Filesize
156KB

Download
memory/1548-439-0x000002D06F6C0000-0x000002D06F6E7000-memory.dmp

Filesize
156KB

Download
memory/1568-446-0x000001E4E06A0000-0x000001E4E06C7000-memory.dmp

Filesize
156KB

Download
memory/1656-525-0x0000022EE78D0000-0x0000022EE78F7000-memory.dmp

Filesize
156KB

Download
memory/1700-451-0x000001B1E77B0000-0x000001B1E77D7000-memory.dmp

Filesize
156KB

Download
memory/1728-457-0x00000276188D0000-0x00000276188F7000-memory.dmp

Filesize
156KB

Download
memory/1736-531-0x000001B1BFAB0000-0x000001B1BFAD7000-memory.dmp

Filesize
156KB

Download
memory/1832-464-0x000001555F370000-0x000001555F397000-memory.dmp

Filesize
156KB

Download
memory/1852-470-0x000001F8F91A0000-0x000001F8F91C7000-memory.dmp

Filesize
156KB

Download
memory/1888-596-0x0000024CD7CB0000-0x0000024CD7CD7000-memory.dmp

Filesize
156KB

Download
memory/1924-474-0x00000000010D0000-0x00000000010F7000-memory.dmp

Filesize
156KB

Download
memory/1936-122-0x0000000000400000-0x000000000135C000-memory.dmp

Filesize
15.4MB

Download
memory/2012-481-0x000001DECFCF0000-0x000001DECFD17000-memory.dmp

Filesize
156KB

Download
memory/2184-234-0x00007FF613F40000-0x00007FF61493D000-memory.dmp

Filesize
10.0MB

Download
memory/2184-299-0x00007FF613F40000-0x00007FF61493D000-memory.dmp

Filesize
10.0MB

Download
memory/2200-486-0x000001FF8AD60000-0x000001FF8AD87000-memory.dmp

Filesize
156KB

Download
memory/2220-490-0x00000189DC310000-0x00000189DC337000-memory.dmp

Filesize
156KB

Download
memory/2228-537-0x000001DBEF5D0000-0x000001DBEF5F7000-memory.dmp

Filesize
156KB

Download
memory/2344-495-0x000002367A030000-0x000002367A057000-memory.dmp

Filesize
156KB

Download
memory/2408-544-0x00000201F7E00000-0x00000201F7E27000-memory.dmp

Filesize
156KB

Download
memory/2456-550-0x000001F07FB60000-0x000001F07FB87000-memory.dmp

Filesize
156KB

Download
memory/2464-554-0x000001B4D3200000-0x000001B4D3227000-memory.dmp

Filesize
156KB

Download
memory/2472-559-0x0000024809230000-0x0000024809257000-memory.dmp

Filesize
156KB

Download
memory/2644-289-0x00007FFB151F0000-0x00007FFB153CB000-memory.dmp

Filesize
1.9MB

Download
memory/2644-333-0x00007FFB151F0000-0x00007FFB153CB000-memory.dmp

Filesize
1.9MB

Download
memory/2644-290-0x00007FFB150E0000-0x00007FFB1518E000-memory.dmp

Filesize
696KB

Download
memory/2852-564-0x000002DC1C600000-0x000002DC1C627000-memory.dmp

Filesize
156KB

Download
memory/2944-569-0x00000159DE4C0000-0x00000159DE4E7000-memory.dmp

Filesize
156KB

Download
memory/3192-574-0x0000000000720000-0x0000000000747000-memory.dmp

Filesize
156KB

Download
memory/3764-579-0x000002178AF30000-0x000002178AF57000-memory.dmp

Filesize
156KB

Download
memory/4116-295-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/4116-298-0x0000016895050000-0x0000016895060000-memory.dmp

Filesize
64KB

Download
memory/4116-297-0x0000016895050000-0x0000016895060000-memory.dmp

Filesize
64KB

Download
memory/4116-327-0x0000016895050000-0x0000016895060000-memory.dmp

Filesize
64KB

Download
memory/4176-228-0x0000027079D20000-0x0000027079D30000-memory.dmp

Filesize
64KB

Download
memory/4176-233-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/4176-226-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/4176-178-0x0000027079910000-0x0000027079950000-memory.dmp

Filesize
256KB

Download
memory/4448-281-0x0000022C6B1D0000-0x0000022C6B1E0000-memory.dmp

Filesize
64KB

Download
memory/4448-238-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-240-0x0000022C6B1D0000-0x0000022C6B1E0000-memory.dmp

Filesize
64KB

Download
memory/4448-241-0x0000022C6B1D0000-0x0000022C6B1E0000-memory.dmp

Filesize
64KB

Download
memory/4448-242-0x0000022C6B1A0000-0x0000022C6B1C2000-memory.dmp

Filesize
136KB

Download
memory/4448-245-0x0000022C6B4D0000-0x0000022C6B546000-memory.dmp

Filesize
472KB

Download
memory/4448-258-0x0000022C6B1D0000-0x0000022C6B1E0000-memory.dmp

Filesize
64KB

Download
memory/4448-285-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/4532-584-0x00000213EDB30000-0x00000213EDB57000-memory.dmp

Filesize
156KB

Download
memory/4936-601-0x000001756E5D0000-0x000001756E5F7000-memory.dmp

Filesize
156KB

Download