umbral | 6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

Analysis

max time kernel
536s
max time network
598s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-02-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

207KB
MD5

5afd3e0ac701a47f48772af3c5eb54d1
SHA1

ac20c5db48d258c9f00845fb3508e90d4f3187ae
SHA256

6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c
SHA512

24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b
SSDEEP

6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score

10^/10

umbral xworm persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000200000002a798-48.dat	family_umbral
behavioral4/memory/2492-59-0x00000260F4620000-0x00000260F466E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000200000002a797-35.dat	family_xworm
behavioral4/memory/4976-60-0x0000000000780000-0x00000000007A6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Executes dropped EXE 2 IoCs

pid	Process
4976	systemload.exe
2492	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	systemload.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 1316	2276	IO tootls.exe	79

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1468	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4960	powershell.exe
4960	powershell.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
1316	IO tootls.exe
4540	powershell.exe
4540	powershell.exe
5080	powershell.exe
5080	powershell.exe
3492	powershell.exe
3492	powershell.exe
2512	powershell.exe
2692	powershell.exe
2512	powershell.exe
2692	powershell.exe
4976	systemload.exe
1736	powershell.exe
1736	powershell.exe
5008	powershell.exe
5008	powershell.exe
712	powershell.exe
712	powershell.exe
752	msedge.exe
752	msedge.exe
4592	msedge.exe
4592	msedge.exe
2148	msedge.exe
2148	msedge.exe
3856	identity_helper.exe
3856	identity_helper.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	1316	IO tootls.exe
Token: SeDebugPrivilege	2492	controllloader.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4976	systemload.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4976	systemload.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: 36	1848	wmic.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: 36	1848	wmic.exe
Token: SeIncreaseQuotaPrivilege	3356	wmic.exe
Token: SeSecurityPrivilege	3356	wmic.exe
Token: SeTakeOwnershipPrivilege	3356	wmic.exe
Token: SeLoadDriverPrivilege	3356	wmic.exe
Token: SeSystemProfilePrivilege	3356	wmic.exe
Token: SeSystemtimePrivilege	3356	wmic.exe
Token: SeProfSingleProcessPrivilege	3356	wmic.exe
Token: SeIncBasePriorityPrivilege	3356	wmic.exe
Token: SeCreatePagefilePrivilege	3356	wmic.exe
Token: SeBackupPrivilege	3356	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4976	systemload.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4960	2276	IO tootls.exe	77
PID 2276 wrote to memory of 4960	2276	IO tootls.exe	77
PID 2276 wrote to memory of 4960	2276	IO tootls.exe	77
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 2276 wrote to memory of 1316	2276	IO tootls.exe	79
PID 1316 wrote to memory of 4976	1316	IO tootls.exe	80
PID 1316 wrote to memory of 4976	1316	IO tootls.exe	80
PID 1316 wrote to memory of 2492	1316	IO tootls.exe	81
PID 1316 wrote to memory of 2492	1316	IO tootls.exe	81
PID 1316 wrote to memory of 2936	1316	IO tootls.exe	82
PID 1316 wrote to memory of 2936	1316	IO tootls.exe	82
PID 1316 wrote to memory of 2936	1316	IO tootls.exe	82
PID 2936 wrote to memory of 4540	2936	cmd.exe	84
PID 2936 wrote to memory of 4540	2936	cmd.exe	84
PID 2936 wrote to memory of 4540	2936	cmd.exe	84
PID 2492 wrote to memory of 5080	2492	controllloader.exe	85
PID 2492 wrote to memory of 5080	2492	controllloader.exe	85
PID 4976 wrote to memory of 3492	4976	systemload.exe	88
PID 4976 wrote to memory of 3492	4976	systemload.exe	88
PID 4976 wrote to memory of 2512	4976	systemload.exe	89
PID 4976 wrote to memory of 2512	4976	systemload.exe	89
PID 2492 wrote to memory of 2692	2492	controllloader.exe	91
PID 2492 wrote to memory of 2692	2492	controllloader.exe	91
PID 2492 wrote to memory of 1736	2492	controllloader.exe	93
PID 2492 wrote to memory of 1736	2492	controllloader.exe	93
PID 2492 wrote to memory of 5008	2492	controllloader.exe	95
PID 2492 wrote to memory of 5008	2492	controllloader.exe	95
PID 2492 wrote to memory of 1848	2492	controllloader.exe	97
PID 2492 wrote to memory of 1848	2492	controllloader.exe	97
PID 2492 wrote to memory of 3356	2492	controllloader.exe	100
PID 2492 wrote to memory of 3356	2492	controllloader.exe	100
PID 2492 wrote to memory of 3284	2492	controllloader.exe	102
PID 2492 wrote to memory of 3284	2492	controllloader.exe	102
PID 2492 wrote to memory of 712	2492	controllloader.exe	104
PID 2492 wrote to memory of 712	2492	controllloader.exe	104
PID 2492 wrote to memory of 1468	2492	controllloader.exe	106
PID 2492 wrote to memory of 1468	2492	controllloader.exe	106
PID 4976 wrote to memory of 4592	4976	systemload.exe	109
PID 4976 wrote to memory of 4592	4976	systemload.exe	109
PID 4592 wrote to memory of 2688	4592	msedge.exe	110
PID 4592 wrote to memory of 2688	4592	msedge.exe	110
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111
PID 4592 wrote to memory of 2636	4592	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffcc18a3cb8,0x7ffcc18a3cc8,0x7ffcc18a3cd8
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2228 /prefetch:2
        5⤵
        
        PID:2636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
        5⤵
        
        PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
        5⤵
        
        PID:3568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        5⤵
        
        PID:3180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        5⤵
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,18347217071172181500,15223502971372632349,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1276 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3356
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:712
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
f67fe6df08d4663b0496e9a0cc94640a

SHA1
d07396cfcf0c6ac3baef97ce55da213a87923095

SHA256
f7ebc9ed3149ecb8a190fbcb1d4e5524e1bdd0e603ab695d8ebff41da59fa2d4

SHA512
4f92d4a762675eee10856d08921c75cf3f9a6f92e94c21f0ef0aa5147f9a84e168e6cdb001e9a66986b0cff1c454d50a5b44715676875cf5343a3cbc5c0d5e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab88ae73d2aefc151079e0acfa3d96e3

SHA1
114621cf602c6d9cb46d3f3ebc10bcd82d2a9c16

SHA256
fdd502431408476deeb3eb447b85fc9198b4d694c854d78ef2ba981587254b58

SHA512
93103dc3ecc57c6112fc04b3664713bb2ca0f17b5dbdc039cff1459d5efdecd9a56792760746367e3c1ea306c9e922fedcf6f2ca7321ddd994d5daa0c96fee66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d70a070f8c64fcb45e0692d775aa7e1

SHA1
9d94d9e9fa7c7c4dac5682c63ce6676eb4ec4ab3

SHA256
2b50ef53380bcdabe8726de351bcab838a9f2bf840f44ff8b97fc81bf893f31b

SHA512
b3400e804772c33d4436a7dbc9fcf45e554f5e2cb84e4aa0662d7e4a3da88fb629f71e13777de5fc6d9f09cceaf4523375169cd319b695df627b03680359dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f2c0e118312ec949c72a7771eaadc7b2

SHA1
a3199f2a112cdd07de9c3716e033120a68300268

SHA256
c053db9af2f9712f4735aff453e0192d0e94d6f91dc6d42c52f12e5dde5214a5

SHA512
7e6806aa8974876101c75d5f4fc2fe6ab6a1a455d1848a2b73b5df375db7240fdec827452605307473c612346cb2a2e448b208345cd35f98941222a9b1946e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab410e90789b6c99fde4bc74922602c7

SHA1
d4697589192544635411211fc5f95295d37225ce

SHA256
12aaadf902d31ec4be2bcacc4070848caf52aec0f637e36d805238b17b6e4c9a

SHA512
c3fd48f77e4589e5a34e182d8e72133223a1ba89ded9a03da3c1774295ac8207b3a5d2c19cdb6b7f2de0f625c6ef6b788ea2c7a3cacac3bb3844af7008c19a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
486496f0bb3505b249dc96bd9d52a7bb

SHA1
5b5268f7077308716d66d437fd6de83dcd65e1f9

SHA256
b251687ea4324b418f3e70500a402b63c77e9c09d72a2729ec581280b37ab312

SHA512
26add148fb0a508f32888a994337d1f87772e1e0e101939b8f73d1b9a4d11ee9f8382f50b23c43c3795da208f3bcdb1b468187ef42cebea0786a34c05a1b76cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c1159819815ec95c2cb0f15f55addb9b

SHA1
a45ae6ea58d34325c42835fe45db8139d99961cc

SHA256
ee28019cc1e4a1206caf31143cf287ff46430f3ca1457d105220185a798c49b3

SHA512
db6d8134419a225bf2fce83488ba5de2b9ada02d1a0ef348320ff4cac1ac481ce0c810f8563deddc1a1c77bd20f49a39d7e71e79c6ce6aec0e2bc996d531d29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
02c1e78e22682f9d6da173eb73d37f11

SHA1
6af6609ddfc5071229cbfbca9aee2fabfb14649f

SHA256
f1df37576cf2e8f17ef960f3c8959fceb64dd8574a4001162fe0fd8bce18ab93

SHA512
39cb042580dda5004de8ae79b4496d803abef2a3dab5f245fe4505b3642edda630897ef534712a2ddc53dadf9b312f911cd309bad3187e13000fe3b0dd200d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee7633b167c24eb238c0f45e3f59bb9d

SHA1
333fa2e5e98e276a1cdbc9ab70bbbfc46981d0ae

SHA256
d84ee3570b2c38d7719c8ef4ec85e38c882f74d9fc4bf419ae67baaf2076dd20

SHA512
4346775d00f6cecda96af8a2c6e0e835b64ceba3a3ea2df78e65e24f668918305b95c11121b2d5e1f141eac127c9088f9edf98a338fc69e86ec3a25a362b54cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
2d1f904864001e703aae26224d120f09

SHA1
20bed371275adb78ec4dfda90fc93e9cd63ba53c

SHA256
65f88a9a16bdad030ae224f055ba5473edd8679f6209beda72249464c84e2b6a

SHA512
28ad864637f00e237a56831e8f659ff01223b3dbdbab3ef15ceec7702e010ff7f42e8134538b708ad1b7b116b87607aaffa12f57b80a1d64c8c94a8cb98b8bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ff200fb2c12fb954b6cd7598dc46ea1

SHA1
892cfc0763af15252a83ee9f47bfae9f56257313

SHA256
9ebb842e831e0ab0f673d7d87f61d54244fee5370f09791d00b6ef8ca0d9f71d

SHA512
a1654f61580cdefdf0045d68454ec41a0308e5f752d468e5f4a3adcb2e644a058c9178b75aacb84ef3ea3ce48459c6b7cfe913f78251d75f1f19f2fca0151854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
622d7dbbdb50141c73c3adcd2ed24ceb

SHA1
0ccc5a6e2b1606ec131de1c0316a5ee760d318c4

SHA256
407ac40a0db1a6356b0d5eeaeaa788ff89ed15f8e88ecaa47dd3c9a0223cf1d4

SHA512
74575b619db4516fb399c408a4c16322a69bc0cafe228ab467605cd699cc81c8d4f7a0c597cb0e3ec3f5ef945c78ab62f77dab65c552a7ca5fa08e9abb14f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpkiwjjo.4mu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
0b1f5ef73834ea68fbab4be207eef7be

SHA1
15cb84fdef8ef01940583c9f8644993c86487314

SHA256
5f9990ec3ac392a231a4a202d78657b369161b382d34f96b4b9604a416b40728

SHA512
24c8d05571bc8b45f437bbcc7e89139cb8da2ee71b6a0849f4dc166a237ffd03cad58c09353750dfc9b018fd7650f1da5c9f92d38bc005fa586320fbf47c402d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1316-30-0x0000000001B00000-0x0000000001B10000-memory.dmp

Filesize
64KB

Download
memory/1316-27-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/1316-62-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/1316-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1316-12-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/2276-4-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2276-11-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/2276-2-0x0000000005530000-0x0000000005AD6000-memory.dmp

Filesize
5.6MB

Download
memory/2276-1-0x0000000000570000-0x00000000005AA000-memory.dmp

Filesize
232KB

Download
memory/2276-0-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/2492-65-0x00000260F6C70000-0x00000260F6C80000-memory.dmp

Filesize
64KB

Download
memory/2492-121-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/2492-63-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/2492-59-0x00000260F4620000-0x00000260F466E000-memory.dmp

Filesize
312KB

Download
memory/2492-139-0x00000260F6C70000-0x00000260F6C80000-memory.dmp

Filesize
64KB

Download
memory/3492-140-0x000001625E470000-0x000001625E480000-memory.dmp

Filesize
64KB

Download
memory/3492-123-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/3492-147-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/3492-126-0x000001625E470000-0x000001625E480000-memory.dmp

Filesize
64KB

Download
memory/3492-125-0x000001625E470000-0x000001625E480000-memory.dmp

Filesize
64KB

Download
memory/3492-124-0x000001625E470000-0x000001625E480000-memory.dmp

Filesize
64KB

Download
memory/4540-68-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/4540-67-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/4540-69-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/4540-149-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/4540-128-0x000000007F550000-0x000000007F560000-memory.dmp

Filesize
64KB

Download
memory/4540-129-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/4960-110-0x0000000007750000-0x0000000007761000-memory.dmp

Filesize
68KB

Download
memory/4960-80-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/4960-122-0x0000000007780000-0x000000000778E000-memory.dmp

Filesize
56KB

Download
memory/4960-13-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4960-26-0x0000000005CF0000-0x0000000006047000-memory.dmp

Filesize
3.3MB

Download
memory/4960-111-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4960-127-0x0000000007790000-0x00000000077A5000-memory.dmp

Filesize
84KB

Download
memory/4960-109-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4960-108-0x00000000077D0000-0x0000000007866000-memory.dmp

Filesize
600KB

Download
memory/4960-10-0x0000000005430000-0x0000000005A5A000-memory.dmp

Filesize
6.2MB

Download
memory/4960-138-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/4960-15-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/4960-90-0x0000000007210000-0x00000000072B4000-memory.dmp

Filesize
656KB

Download
memory/4960-141-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/4960-89-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/4960-14-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4960-106-0x00000000075C0000-0x00000000075CA000-memory.dmp

Filesize
40KB

Download
memory/4960-16-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/4960-7-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/4960-78-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

Filesize
64KB

Download
memory/4960-79-0x00000000071D0000-0x0000000007204000-memory.dmp

Filesize
208KB

Download
memory/4960-94-0x00000000746B0000-0x0000000074E61000-memory.dmp

Filesize
7.7MB

Download
memory/4960-5-0x0000000004D40000-0x0000000004D76000-memory.dmp

Filesize
216KB

Download
memory/4960-95-0x0000000007540000-0x000000000755A000-memory.dmp

Filesize
104KB

Download
memory/4960-64-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4960-93-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download
memory/4960-17-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4960-29-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/4960-28-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/4976-60-0x0000000000780000-0x00000000007A6000-memory.dmp

Filesize
152KB

Download
memory/4976-61-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/4976-120-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/5080-148-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/5080-92-0x000001CDF34A0000-0x000001CDF34B0000-memory.dmp

Filesize
64KB

Download
memory/5080-91-0x00007FFCB4E10000-0x00007FFCB58D2000-memory.dmp

Filesize
10.8MB

Download
memory/5080-107-0x000001CDF34A0000-0x000001CDF34B0000-memory.dmp

Filesize
64KB

Download
memory/5080-105-0x000001CDF35E0000-0x000001CDF3602000-memory.dmp

Filesize
136KB

Download
memory/5080-96-0x000001CDF34A0000-0x000001CDF34B0000-memory.dmp

Filesize
64KB

Download