umbral | 879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conta_injector.exe
Size

2.6MB
MD5

136572773a0b95e37f25ee732cd20564
SHA1

d5aa4913be0eb1a47fe95cdec0f398992b1066e9
SHA256

879fc1eabb8371e770a2fea4362086d08fb8743ce5343465cbedf0c2fdd4404f
SHA512

872c0dc675516b91d8ea43094532c749789753d631979070163c5b71adc088dd2e33393879658e0a361de3fc4f5ed1bd150ebc8658b558abfc46ccc7c8cee0ef
SSDEEP

49152:RP5mffPrD+IndQgKAr5ozxzu6LAH3zu292AXR3jzLzvX:RP5mvrD+ClNo9ztLA

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
InvidiaDriver.exe

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/2876-117-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2876-113-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2876-123-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2876-127-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral
behavioral1/memory/2876-125-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1476-101-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm
behavioral1/memory/1476-103-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm
behavioral1/memory/1476-114-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm
behavioral1/memory/1476-118-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm
behavioral1/memory/1476-110-0x0000000000400000-0x000000000041E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InvidiaDriver.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InvidiaDriver.lnk	RegAsm.exe

Executes dropped EXE 3 IoCs

pid	Process
2648	PerfWatson2.exe
2928	InvidiaDriver.exe
2504	InvidiaDriver.exe

Loads dropped DLL 2 IoCs

pid	Process
1464	conta_injector.exe
1476	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\InvidiaDriver = "C:\\Users\\Admin\\AppData\\Local\\InvidiaDriver.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 1476	1464	conta_injector.exe	30
PID 2648 set thread context of 2876	2648	PerfWatson2.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2760	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1584	wmic.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	conta_injector.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	conta_injector.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	conta_injector.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	conta_injector.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	conta_injector.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	conta_injector.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
308	powershell.exe
576	powershell.exe
1344	powershell.exe
2908	powershell.exe
824	powershell.exe
860	powershell.exe
2592	powershell.exe
1476	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	conta_injector.exe
Token: SeDebugPrivilege	2620	taskmgr.exe
Token: SeDebugPrivilege	2648	PerfWatson2.exe
Token: SeDebugPrivilege	1476	RegAsm.exe
Token: SeDebugPrivilege	2876	RegAsm.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	2792	wmic.exe
Token: SeSecurityPrivilege	2792	wmic.exe
Token: SeTakeOwnershipPrivilege	2792	wmic.exe
Token: SeLoadDriverPrivilege	2792	wmic.exe
Token: SeSystemProfilePrivilege	2792	wmic.exe
Token: SeSystemtimePrivilege	2792	wmic.exe
Token: SeProfSingleProcessPrivilege	2792	wmic.exe
Token: SeIncBasePriorityPrivilege	2792	wmic.exe
Token: SeCreatePagefilePrivilege	2792	wmic.exe
Token: SeBackupPrivilege	2792	wmic.exe
Token: SeRestorePrivilege	2792	wmic.exe
Token: SeShutdownPrivilege	2792	wmic.exe
Token: SeDebugPrivilege	2792	wmic.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2648	1464	conta_injector.exe	29
PID 1464 wrote to memory of 2648	1464	conta_injector.exe	29
PID 1464 wrote to memory of 2648	1464	conta_injector.exe	29
PID 1464 wrote to memory of 2648	1464	conta_injector.exe	29
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 1464 wrote to memory of 1476	1464	conta_injector.exe	30
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2648 wrote to memory of 2876	2648	PerfWatson2.exe	31
PID 2876 wrote to memory of 308	2876	RegAsm.exe	32
PID 2876 wrote to memory of 308	2876	RegAsm.exe	32
PID 2876 wrote to memory of 308	2876	RegAsm.exe	32
PID 2876 wrote to memory of 308	2876	RegAsm.exe	32
PID 1476 wrote to memory of 576	1476	RegAsm.exe	35
PID 1476 wrote to memory of 576	1476	RegAsm.exe	35
PID 1476 wrote to memory of 576	1476	RegAsm.exe	35
PID 1476 wrote to memory of 576	1476	RegAsm.exe	35
PID 2876 wrote to memory of 2908	2876	RegAsm.exe	40
PID 2876 wrote to memory of 2908	2876	RegAsm.exe	40
PID 2876 wrote to memory of 2908	2876	RegAsm.exe	40
PID 2876 wrote to memory of 2908	2876	RegAsm.exe	40
PID 1476 wrote to memory of 1344	1476	RegAsm.exe	38
PID 1476 wrote to memory of 1344	1476	RegAsm.exe	38
PID 1476 wrote to memory of 1344	1476	RegAsm.exe	38
PID 1476 wrote to memory of 1344	1476	RegAsm.exe	38
PID 1476 wrote to memory of 824	1476	RegAsm.exe	42
PID 1476 wrote to memory of 824	1476	RegAsm.exe	42
PID 1476 wrote to memory of 824	1476	RegAsm.exe	42
PID 1476 wrote to memory of 824	1476	RegAsm.exe	42
PID 1476 wrote to memory of 860	1476	RegAsm.exe	43
PID 1476 wrote to memory of 860	1476	RegAsm.exe	43
PID 1476 wrote to memory of 860	1476	RegAsm.exe	43
PID 1476 wrote to memory of 860	1476	RegAsm.exe	43
PID 2876 wrote to memory of 2680	2876	RegAsm.exe	45
PID 2876 wrote to memory of 2680	2876	RegAsm.exe	45
PID 2876 wrote to memory of 2680	2876	RegAsm.exe	45
PID 2876 wrote to memory of 2680	2876	RegAsm.exe	45
PID 2876 wrote to memory of 2792	2876	RegAsm.exe	47
PID 2876 wrote to memory of 2792	2876	RegAsm.exe	47
PID 2876 wrote to memory of 2792	2876	RegAsm.exe	47
PID 2876 wrote to memory of 2792	2876	RegAsm.exe	47
PID 2876 wrote to memory of 2828	2876	RegAsm.exe	49
PID 2876 wrote to memory of 2828	2876	RegAsm.exe	49
PID 2876 wrote to memory of 2828	2876	RegAsm.exe	49
PID 2876 wrote to memory of 2828	2876	RegAsm.exe	49

C:\Users\Admin\AppData\Local\Temp\conta_injector.exe
"C:\Users\Admin\AppData\Local\Temp\conta_injector.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe
  "C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2792
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2592
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\InvidiaDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InvidiaDriver.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "InvidiaDriver" /tr "C:\Users\Admin\AppData\Local\InvidiaDriver.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2760

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Windows\system32\taskeng.exe
taskeng.exe {BB18863C-D8AA-4B02-B752-48108BD9D0D1} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\InvidiaDriver.exe
  C:\Users\Admin\AppData\Local\InvidiaDriver.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Users\Admin\AppData\Local\InvidiaDriver.exe
  C:\Users\Admin\AppData\Local\InvidiaDriver.exe
  2⤵
  - Executes dropped EXE
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30f4759e881adb0747280869a24a81ef

SHA1
778ad1b8b32775c39933c3b19f10e871733b1ba3

SHA256
1d0ea3b9708494c3cf18fcff1b584414e7fc3df60ec053d9aa3c21171d71db4b

SHA512
3100b65e9e886f25996385880134f3ffbdb54ec0af69dea99195e8e9e3d78f6f5ea0f8ded64cf53c45b105adcb2d613ff0df133e54eb6bd4607520d3a5615c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
012da17fe88b3b9089bc3601581b164a

SHA1
b11e3d9b9810ead0396036152dda52325b298e0c

SHA256
ca7cb7db42f78df2a01ed8aac269914e8217b16668264c18bd4d268ae0dc1ba1

SHA512
ba47c27926b6ee3944811658137272086601b8b16a00f8a0990431d16e1e448676bf8ceb6c8418d6444baec7a4174bf7110107da2e28302a4e7dfb536fe8bdb8

Download Submit
C:\Users\Admin\AppData\Local\InvidiaDriver.exe

Filesize
39KB

MD5
534f40ae7940937eda35a3ee09afbc1e

SHA1
0414f1a3b1cbb20af9722f9ee385bd79ddb43ca1

SHA256
46d808f4f96f03e47ae3b138875c733bdbefd80028e7e61ebe8aab22bbe7eca2

SHA512
34d7d63a6228d16a6f185093673249efa8fb4beadc1cd828489aca7ed6039a71fc21c1b44ff2b1c2806ccba06fbd0aff432acd4363d17a067dbe4a254038e5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5840.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe

Filesize
1.2MB

MD5
36ea8295f474191a1507d6ae936070e6

SHA1
2f666af24457a7429f5aecf89a1e2092f1210c3e

SHA256
3007adab25667af1ec9359406e3257dcae21f0dc31dc016cca2b2277564eb1eb

SHA512
2aabdb9363e88bca5c44860767caaf8ef0ee8cffa81cc1e774a492975b9299aaf4e82cb3d685329e74bb3e3f7e50dd2e51927bffbf2390d249d91b47e6e2eecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\PerfWatson2.exe

Filesize
1018KB

MD5
6752a29b01329153aea417b634ce3245

SHA1
509257ef75e8815c4e03dd77c38e509467af2684

SHA256
49fd8670fbfa0464693ed6ae61e6499304cd548290a656767d4410c911747cb3

SHA512
696b46f58f9cc9ab1a3a12b02e58342dbcb641ce3c699b539787a02470e5771aa9991d609834a2a8fea7c33f34d18900efd76a87ac5fa6fd17a66eca6605bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58FE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c1a642c9fca163e82a1d20d0271f681d

SHA1
f4b109e7a88589b0b9168d691cefff4471517c10

SHA256
1f20e02582fa8795ea520e943a546efebe4df0916dd47d81170b32f5f10e866f

SHA512
21873db0e6eb79517da25c26d81f5a505582fe3e27fbe3e74a98e049ccc19a82eac1dda5a00941a4f3609a7d44fded7678c20d1d7b240ac6aeeb13bd8c3e146e

Download Submit
\Users\Admin\AppData\Local\InvidiaDriver.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\PerfWatson2.exe

Filesize
1.5MB

MD5
d28f882b9e924b7b3f7a08c9da234af0

SHA1
c50ed251e3e0b91d23122cef8dbe1cfd34be1beb

SHA256
fa4b17d0435deaa1a214393cb80e386cba26b495556091bc31d25348e09515f7

SHA512
5f49c45c66e1a0b7badd675b438256b43aa2578c94991dd5c4f2b25b50eae3638834ea28f594023120daa37f862ce07cf07c3a855eb9ca351ad932f2b1d7044c

Download Submit
memory/308-134-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/308-138-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

Filesize
256KB

Download
memory/308-148-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/308-137-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

Filesize
256KB

Download
memory/308-136-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

Filesize
256KB

Download
memory/308-135-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-146-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/576-144-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-145-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-147-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/576-149-0x000000006F580000-0x000000006FB2B000-memory.dmp

Filesize
5.7MB

Download
memory/824-181-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/824-178-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/824-184-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/824-182-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/824-180-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/824-179-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/860-197-0x000000006DE20000-0x000000006E3CB000-memory.dmp

Filesize
5.7MB

Download
memory/860-193-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/860-195-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/860-196-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/860-194-0x000000006DE20000-0x000000006E3CB000-memory.dmp

Filesize
5.7MB

Download
memory/860-192-0x000000006DE20000-0x000000006E3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1344-167-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1344-165-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1344-172-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-170-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-168-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1344-166-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-1-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1464-87-0x00000000049C0000-0x00000000049C8000-memory.dmp

Filesize
32KB

Download
memory/1464-121-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1464-0-0x00000000008D0000-0x0000000000B7E000-memory.dmp

Filesize
2.7MB

Download
memory/1464-2-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1464-74-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1464-78-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1464-71-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1476-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-222-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1476-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-118-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1476-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2504-226-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-227-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-214-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-208-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2592-204-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-205-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2592-206-0x000000006E3D0000-0x000000006E97B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-207-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2620-76-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2620-77-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2648-75-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2648-128-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-72-0x0000000000360000-0x0000000000520000-memory.dmp

Filesize
1.8MB

Download
memory/2648-73-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2876-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-169-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-171-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-157-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2908-164-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2908-163-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2908-156-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-221-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-220-0x00000000011D0000-0x00000000011E2000-memory.dmp

Filesize
72KB

Download
memory/2928-223-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download